The President of the PPDPO has published an announcement on the sector audit plan for 2024. In addition to the annual audit of bodies processing personal data in the Schengen Information System and the Visa Information System, it has been decided to designate two audit areas for 2024.

This year, the President of the PPDPO has decided to continue auditing the way personal data processed in connection with the use of Internet (web) applications is secured and shared. Due to the wide range of uses for web applications, the audits may, for example, extend to entities that process personal data in communication and video conferencing applications, data management and storage applications or CRM systems that are used to manage customer and client relationships.

The supervisory authority’s audit in the area of web applications may extend to such areas as:

  • taking into account the principle of privacy by design and privacy by default (Article 25 of the GDPR),
  • use of appropriate technical and organisational measures based on a risk analysis (Article 32 of the GDPR),
  • legal basis for sharing personal data in connection with the use of the application (Article 6 and Article 9 of the GDPR).

For many organisations, the use of web applications is a key element in their day-to-day operations. Entrepreneurs should consider carrying out audits of web applications’ GDPR compliance to get ahead of possible audit activities by the authority.

The second area of the audit identified by the President of the PPDPO is the correctness of compliance with the information obligation under Articles 13–14 of the GDPR. In this case, the range of entities that may be audited is even broader. Although it has been almost 6 years since the GDPR came into force, it is still not a guarantee that data controllers will meet these obligations properly. They find it difficult to: provide data subjects with the required information in accordance with the facts, formulate the content of data processing notices in plain language, as well as correctly apply a layered approach to carrying out the obligations of Articles 13–14 of the GDPR.

It is worth taking advantage of the audit announcement from the President of the PPDPO in this area to comprehensively review the content of the data processing notices you use, both in the customer/client area and the business area, as well as towards the controller’s employees.