Inspection process - procedure and useful advice

Inspection process - procedure and useful advice

Under the conditions of the Slovak Republic, the state administration authority supervising the protection of personal data is the Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the “Office”).

The Office shall begin the inspection:

• on the basis of an application initiating proceedings which may only be brought by the data subject who considers that his rights have been or have been violated in the processing of personal data pursuant to the Data Protection Act or the GDPR,
• on the initiative of a person other than the data subject,
• on its own initiative if it suspects that personal data processing is being breached or even because of the inclusion of the controller in the control plan.

How is the inspection carried out?

The actual inspection begins on the day of delivery of the notice of initiation of the inspection to the inspected entity, such as a company, municipality, school, civic association and the like. It is a document in writing through which the Office informs the inspected person about the subject and purpose of the inspection, about the place and date of performance of the inspection, as well as about legal provisions whose observance will be one of the objects of inspection.

In most cases, the inspection date is announced in advance to the inspected entity. However, this procedure shall not be applied by the Office in the event that the notice of initiation of the inspection would blunder away its purpose in advance.

The date of commencement of the inspection is therefore the date of receipt of the notice of initiation of the inspection by the inspected person. That day in the case of an 'unannounced' inspection may also be the date of arrival of the members of the inspection body on the spot.

Each inspector is required to present a written authorization from the manager before commencing the inspection. Where the manager is a member of the supervisory body, the members of the supervisory body shall carry out the inspection on the basis of a written authorization from the President of the Office.

Upon arrival at the place of inspection, the members of the inspection body conduct an interview with the inspected entity, through which the inspectors seek to ascertain the facts relevant to establishing the facts of the case and thus fulfill the purpose of the inspection. The statements of the audited person shall be recorded in the minutes, which form the basis for the output of the control activity. At the conclusion of the inspection, the inspected entity is required to sign the relevant minutes.

During the inspection, inspectors are most likely to request a photocopy of the relevant documents. These may include security documentation, contracts for the processing of personal data between the controller and the intermediary, documents that must be signed by each employee - secrecy, familiarity with the data subject, consent to the processing of personal data in cases where personal data of employees may process only on that legal basis, the authorization of the data subject if it carries out processing operations on behalf of the controller and others.

As the controller is obliged to take appropriate security measures in accordance with GDPR, it should be borne in mind that the members of the supervisory body will focus not only on the theoretical definition of security measures but also on their implementation in practice. This means, for example, whether the controller keeps an archive of where it is located and how secure the server room is, or how secure the offices are from unauthorized entry of persons who are not authorized to enter and into these premises, but also what measures the controller has taken to reduce risks it cannot control - for example, due to natural effects.

Entities subject to the obligation to designate a data protection officer under the GDPR must ensure that they are present during the course of the inspection.

Upon completion of the on-site inspection, the output of the inspection is written. This output can have two alternatives:

1. record - the supervisory authority will prepare it if it has not found any violations of the Personal Data Protection Act or GDPR as part of the audit. By signing it, the inspection officially ended without imposing sanctions on the inspected entity,
2. protocol - the supervisory authority will prepare it if it found deficiencies in the processing of personal data during the inspection.

The Office shall deliver the inspection output to the inspected entity. If the inspection resulted in a protocol, the inspected person has the right to object to the statements in the protocol within 21 days from the date of its receipt. The inspection body shall inform the inspected person in writing of the outcome of the opposition review within 15 working days from the date of receipt of the objection(s).

The inspection shall be completed by:

• signing the minutes on the reviewing the Protocol,
• refusing to sign the minutes on the reviewing the Protocol,
• failing to attend the review of the Protocol at the written request of the inspection body,
• delivering of the inspection record.

If the inspectionactivity results in a breach in the processing of personal data, the Office may impose a fine of up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Few useful advice

1. If you receive a notice of initiation of an inspection, please always contact your data protection officer for instructions on how to proceed. At the same time, it will help you to carry out a preliminary audit in order to remedy any shortcomings that the Office might consider as aggravating circumstances.
2. At the actual start of the inspection, that is, when the inspectors start the on-the-spot inspection, insist on the legitimacy of the members of the inspection body and then carefully examine the mandates in question. This will prevent a false inspection that would be a security incident. A sample credential can be found at: https://dataprotection.gov.sk/uoou/sites/default/files/vzor_poverenia.pdf
3. Members of the inspection body will certainly appreciate making photocopies of documents to be reviewed in advance.
4. When requesting photocopies of the required documents, insist on the signing the handover protocol.
5. At the conclusion of the on-the-spot check, the inspection body shall sign the minutes. It is therefore essential that you read the minutes properly before signing.
6. It is in your best interest to provide the inspection body with the required and timely cooperation. Communicate with the Office, since in determining the amount of the fine imposed, the fact of early cooperation may be taken into account as an attenuating or aggravating circumstance.