T 2.174 Lack of or inadequate data protection monitoring

The process of monitoring the applicable data protection provisions, first and foremost monitoring the technical and organisational safeguards, will often remain insufficient if it is wrongfully deemed an unproductive cost factor. Data protection monitoring may also be made significantly more difficult if the integration of the corresponding requirements is omitted during developing and testing procedures.

Normally, efficient data protection monitoring is not ensured if no Data Protection Officer is appointed in a company or government agency, if the appointed Data Protection Officer is qualified or trained inadequately, or if the appointed Data Protection Officer is supported inadequately or not informed on time (insufficient personnel and equipment).

Examples:

• The head of the computer centre is appointed as the internal Data Protection Officer, since he has the best technical knowledge for the position. The existing conflict of interests in this case is not detected. For example, this includes the fact that he would have to review security specifications he made for operating IT procedures or log files stored for misuse detection in his function as Data Protection Officer
• An internal data protection directive is issued, according to which a report of the Data Protection Officer must be provided at annual intervals. However, the appointed Data Protection officer has been ill for 2 years and no substitute was appointed so that no report is created.