T 2.170 Lack of transparency for the person concerned and authorities in charge of monitoring data protection

If personal data is collected without the person concerned being informed about the planned processing and the legal basis, transparency is disputable.

It is also disputable if the person concerned is not provided with information about the origin and the recipient of this data, as well as deletion periods.

If the authorities in charge of monitoring data protection are not informed timely before

• new procedures are introduced,
• new procedures are released,
• administrative provisions are issued,
• automated retrieval procedures are implemented, or
• commissioning data processing,

they are hindered from providing suggestions regarding the improvement of data protection in such a timely way that these can still be taken into consideration while the procedure is being developed. The responsibility for complying with the data protection provisions also remains with the data processing centre even if the authorities in charge of monitoring data protection are involved.

The work of the monitoring authorities is made more difficult by a lack of or insufficient logging and documentation when processing personal data and by a lack of updating regarding procedural changes. Efficient control can also be jeopardised by means of incomplete or outdated directories of the IT systems used, inadequate configuration overviews, and missing wiring diagrams.

Missing or incomplete information about the internal directories and, as far as required by law, about the public directories jeopardises the transparency of data processing for the person concerned and the monitoring authorities.

Examples:

• A person concerned suffered damage by inadmissible automated data processing of a public agency. An attempt to obtain more detailed information by viewing the procedural directory (if such a directory is present) with the competent State Commissioner for Data Protection may fail because the commissioner does not dispose of any reports or because the report does not detail the partners of implemented transmissions, although this is mandatory.
• Due to missing procedural descriptions, nobody working in the public agency knows which files from which agencies are administered by which employee.