- FDPIC active since the introduction of the DPA: Initially, the focus was on introductory work and the processing of old legal clarifications.
- supervisory tasks: Various options such as formal investigations and informal preliminary clarifications are becoming increasingly important.
- Charges for DSG violations: By 05.11.2024, 1,183 reports had been submitted, 889 of which have already been completed.
- Low-threshold interventions successful: 86 interventions were carried out, 90% were followed voluntarily, which shows effective regulation.
The FDPIC has published some figures on his activities after the new DSG published since coming into force and up to the reporting date of 05.11.2024 (Media release).
In the first phase after the entry into force and until the first quarter of 2024, the FDPIC team primarily dealt with the implementation of the new law (e.g. Leaflets, instructions, etc.), in addition to the ongoing tasks and the processing of the existing old legal clarifications of facts. Since then, supervisory tasks have become more of a focus, which has been clearly noticeable in practice. The FDPIC essentially has the following options for this:
- Formal investigationFormal investigation of “personal data processing that could violate federal data protection regulations on the basis of concrete indications” (actually: investigation of suspected violations of federal data protection law, which must be related to data processing – otherwise the FADP would not apply – but which do not have to consist of the processing itself; suspected violations of accompanying obligations can also be the subject of an investigation);
- Informal preliminary clarificationinformal clarification of whether or not the conditions for opening formal investigations are met;
- Low-threshold interventionThis is an effective approach in practice, because even if there is no need to fear an investigation, the FDPIC’s statements also carry weight outside of an investigation, which is why even low-threshold activities are in fact a form of regulation. The FDPIC should therefore only make legal assessments in such low-threshold interventions with caution (e.g. whether joint responsibility exists in a certain constellation not investigated at this stage or whether an adjustment of processing activities is necessary).
The FDPIC does not have the right to file a criminal complaint, but it does have the right to report the few official offenses.
The FDPIC has published the following figures in the interim report:
Displays and messages
Reports received due to violations of the DPA: 1,183
- in progress: 294
- completed: 889
Data breach reports received: 293
Supervisory actions
Low-threshold interventions: 86
- followed voluntarily: ca. 90%
Preliminary clarifications and investigations opened under new law: 26
- completed: 7
The following figures, for example, are not known:
- Number of interventions following notification of a data breach
- Subject of the investigations broken down by processing principles, data subject rights and governance obligations
- Number of criminal charges for official offenses (presumably still none or almost none)
- Percentage of voluntary reports of security breaches
- Type of security breaches reported
- Number of reported data protection advisors vs. number of organizations subject to reporting requirements (federal authorities including organizations outside the administration such as social insurance institutions)
- Number of access requests to the FDPIC under the FADP relating to notifications, reports and supervisory actions (in any case not zero)