On 7 November 2018, the data protection authority of the Free State of Bavaria, Germany, issued a press release that, now that the European General Data Protection Regulation (GDPR) has been in effect for six months, the authority will intensify its GDPR compliance monitoring. The Bavarian data protection authority is responsible for monitoring GDPR compliance in the state of Bavaria within the non-public sector. The authority's intensified monitoring activities will, in general, concern cybersecurity vulnerabilities and GDPR information duties.

For example, the authority will monitor whether online shops whose operations are based in Bavaria and local doctors' practices have adequate cybersecurity measures in place. According to the authority, in recent months, online shops were increasingly the target of attacks in which the hacker tried to gather customers' payment information. In doctors' practices, increased use of "ransomware" has been reported. This type of malicious software allows an attacker to, inter alia, block access to certain data until a ransom is paid. The authority is also concerned with whether small and medium-sized companies have provided job applicants with sufficient information on how their personal data is processed in the company's application process.

Another focus of the authority's monitoring will be whether major companies satisfy their GDPR accountability obligations. Under the GDPR, the data protection authorities do not have to provide evidence of non-compliance. Rather, upon request, the data controller itself has to demonstrate to the respective authority that it is in compliance with its obligations. To collect information on the implementation of the GDPR within major companies, the Bavarian authority has provided such companies with a questionnaire .

Other state data protection authorities are likely to follow the Bavarian example of intensified monitoring.

Originally published November 16, 2018

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.