Takea­ways (AI):
  • FDPIC acti­ve sin­ce the intro­duc­tion of the DPA: Initi­al­ly, the focus was on intro­duc­to­ry work and the pro­ce­s­sing of old legal clarifications.
  • super­vi­so­ry tasks: Various opti­ons such as for­mal inve­sti­ga­ti­ons and infor­mal preli­mi­na­ry cla­ri­fi­ca­ti­ons are beco­ming incre­a­sing­ly important.
  • Char­ges for DSG vio­la­ti­ons: By 05.11.2024, 1,183 reports had been sub­mit­ted, 889 of which have alre­a­dy been completed.
  • Low-thres­hold inter­ven­ti­ons suc­cessful: 86 inter­ven­ti­ons were car­ri­ed out, 90% were fol­lo­wed vol­un­t­a­ri­ly, which shows effec­ti­ve regulation.

The FDPIC has published some figu­res on his acti­vi­ties after the new DSG published sin­ce coming into force and up to the report­ing date of 05.11.2024 (Media release).

In the first pha­se after the ent­ry into force and until the first quar­ter of 2024, the FDPIC team pri­ma­ri­ly dealt with the imple­men­ta­ti­on of the new law (e.g. Leaf­lets, ins­truc­tions, etc.), in addi­ti­on to the ongo­ing tasks and the pro­ce­s­sing of the exi­sting old legal cla­ri­fi­ca­ti­ons of facts. Sin­ce then, super­vi­so­ry tasks have beco­me more of a focus, which has been cle­ar­ly noti­ceable in prac­ti­ce. The FDPIC essen­ti­al­ly has the fol­lo­wing opti­ons for this:

  • For­mal inve­sti­ga­ti­onFor­mal inve­sti­ga­ti­on of “per­so­nal data pro­ce­s­sing that could vio­la­te fede­ral data pro­tec­tion regu­la­ti­ons on the basis of con­cre­te indi­ca­ti­ons” (actual­ly: inve­sti­ga­ti­on of suspec­ted vio­la­ti­ons of fede­ral data pro­tec­tion law, which must be rela­ted to data pro­ce­s­sing – other­wi­se the FADP would not app­ly – but which do not have to con­sist of the pro­ce­s­sing its­elf; suspec­ted vio­la­ti­ons of accom­pany­ing obli­ga­ti­ons can also be the sub­ject of an investigation);
  • Infor­mal preli­mi­na­ry cla­ri­fi­ca­ti­oninfor­mal cla­ri­fi­ca­ti­on of whe­ther or not the con­di­ti­ons for ope­ning for­mal inve­sti­ga­ti­ons are met;
  • Low-thres­hold inter­ven­ti­onThis is an effec­ti­ve approach in prac­ti­ce, becau­se even if the­re is no need to fear an inve­sti­ga­ti­on, the FDPIC’s state­ments also car­ry weight out­side of an inve­sti­ga­ti­on, which is why even low-thres­hold acti­vi­ties are in fact a form of regu­la­ti­on. The FDPIC should the­r­e­fo­re only make legal assess­ments in such low-thres­hold inter­ven­ti­ons with cau­ti­on (e.g. whe­ther joint respon­si­bi­li­ty exists in a cer­tain con­stel­la­ti­on not inve­sti­ga­ted at this stage or whe­ther an adjust­ment of pro­ce­s­sing acti­vi­ties is necessary).

The FDPIC does not have the right to file a cri­mi­nal com­plaint, but it does have the right to report the few offi­ci­al offenses.

The FDPIC has published the fol­lo­wing figu­res in the inte­rim report:

Dis­plays and messages

Reports recei­ved due to vio­la­ti­ons of the DPA: 1,183

  • in pro­gress: 294
  • com­ple­ted: 889

Data breach reports recei­ved: 293

Super­vi­so­ry actions

Low-thres­hold inter­ven­ti­ons: 86

  • fol­lo­wed vol­un­t­a­ri­ly: ca. 90%

Preli­mi­na­ry cla­ri­fi­ca­ti­ons and inve­sti­ga­ti­ons ope­ned under new law: 26

  • com­ple­ted: 7

The fol­lo­wing figu­res, for exam­p­le, are not known:

  • Num­ber of inter­ven­ti­ons fol­lo­wing noti­fi­ca­ti­on of a data breach
  • Sub­ject of the inve­sti­ga­ti­ons bro­ken down by pro­ce­s­sing prin­ci­ples, data sub­ject rights and gover­nan­ce obligations
  • Num­ber of cri­mi­nal char­ges for offi­ci­al offen­ses (pre­su­ma­b­ly still none or almost none)
  • Per­cen­ta­ge of vol­un­t­a­ry reports of secu­ri­ty breaches
  • Type of secu­ri­ty brea­ches reported
  • Num­ber of repor­ted data pro­tec­tion advi­sors vs. num­ber of orga­nizati­ons sub­ject to report­ing requi­re­ments (fede­ral aut­ho­ri­ties inclu­ding orga­nizati­ons out­side the admi­ni­stra­ti­on such as social insu­rance institutions)
  • Num­ber of access requests to the FDPIC under the FADP rela­ting to noti­fi­ca­ti­ons, reports and super­vi­so­ry actions (in any case not zero)

AI-gene­ra­ted takea­ways can be wrong.