DPA RATING ™

DPA RATING™ – Who to trust? Readiness Reality Check 2018

CORPORATIONS vs DPA – When so many companies are not in compliance with GDPR by MAY 25th 2018, how is it looking on the other side of the fence with the DPA’s, are they “themselves” ready?

GDPR Watchdog wonder if we can trust DPA’s to protect their citisens under the new General Data Protection Regulation and be on top of the GDPR? We know from experience that there are big internal differences inside Europe, not only in regards to culture and corruption but also to level of readiness to follow the law and prosecute those who don’t. We have also seen very little official campaigns to educate the data subjects about their new rights. The only country truly active in this for the time being is UK.

GDPR Watchdog has therefore sent a list of important questions to the DPA – Data Protection Authority in each of the European countries in order to evaluate them!
Our rating is from 1 to 5 stars * depending on how they are working and planning to audit, prosecute and collect the fines against companies which are violating the new General Data Protection Regulation laws. 1-3 Stars for public education, audit and execution plans, 1 star for answering within 15 days, 1 star for the list of DPA accredited GDPR certifying companies.

Here is the list of questions sent to DPA’s in order to rate them:

  1. When and what kind of public awareness campaigns are you planning to do to inform your citizens about their new privacy rights as many still don’t know anything about GDPR?
  2. How many people do you have working in your Data Protection Agency?
  3. What is the size of your operating budget?
  4. Are you Proactive or just waiting to receive complaints from consumers?
  5. How many companies do you plan to audit per month?
  6. Is the hard drive of the photocopy machine included in the audit?
  7. Have you been in contact with the prosecutor’s office?
  8. Would you consider to give a warning instead of a fine?
  9. How much do you expect to collect in fines in the first 12 months?
  10. Do you have a list of approved companies who are accredited to issue GDPR certificates? If YES, please attached it to the answers so we can contact them (that list alone counts for 1 star).
Data breaches must be reported within 72 hours to the DPA and DPO must be reported within 15 days. We use same time frame for answering the questions, so 3 days is excellent and 15 days is the maximum time frame set to answer our questions, answering the 10 questions within 15 day alone counts for 1 star as it shows better than average public office engagement towards citizens and companies. As you know, then the response time is one of the most important factors in connection with GDPR.

 

We have also sent questions to Mr. Giovanni Buttarelli the European Data Protection Supervisor(EDPS) in Brussels and asked for a meeting with the legal council who advised and consulted WP29 during the process of preparing and implementing the new General Data Protection Regulation into law.

Our questions to the supervisor, WP29 and their legal council are:

  1. How did you reach the 4% of Global Turnover, why was it not 2% or 10%?
  2. Why is EUR 20 million the number and not EUR 100 million?
  3. How are you planning to enforce the law as all European states have not reached an equal level of implementing the new regulations into their law and some countries do not have sufficient manpower, knowledge or even worse; interest to pursue audit and subsequently prosecute under the law?
  4. Is the prosecutors office in each member state ready, and do they have guidelines in place on what and how prosecute? If YES, which counties?
  5. Have the legal council and WP29 taken into consideration that larger companies might sell there entire infrastructure and databases to a independent legal identity with a share capital of i.e. EUR 1 million and rent the equipment and database services from their new affiliate company so in case of fines, they can never be liable for more than their share-capital and could bankrupt their service company to avoid bigger fines?
  6. How much does the EU expect to collect in fines in 2018 and 2019? Is there a budget?

National Data Protection Authorities:

THIS IS A PROVISIONAL RATING – FINAL RATING JUNE 2018

Austria – DPA RATING ***
Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
e-mail: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/
Art 29 WP Member: Dr Andrea JELINEK, Director, Österreichische Datenschutzbehörde

Belgium – DPA RATING ***
Commission de la protection de la vie privée
Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
e-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/
Art 29 WP Vice-President: Willem DEBEUCKELAERE, President of the Belgian
Privacycommission

Bulgaria – DPA RATING ***
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525
e-mail: kzld@cpdp.bg
Website: http://www.cpdp.bg/
Art 29 WP Member: Mr Ventsislav KARADJOV, Chairman of the Commission for Personal
Data Protection
Art 29 WP Alternate Member: Ms Mariya MATEVA

Croatia – DPA RATING ***
Croatian Personal Data Protection Agency
Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
e-mail: azop@azop.hr or info@azop.hr
Website: http://www.azop.hr/
Art 29 WP Member: Mr Anto RAJKOVAČA, Director of the Croatian Data Protection
Agency

Cyprus – DPA RATING ***
Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
e-mail: commissioner@dataprotection.gov.cy
Website: http://www.dataprotection.gov.cy/
Art 29 WP Member: Ms Irene LOIZIDOU NIKOLAIDOU
Art 29 WP Alternate Member: Mr Constantinos GEORGIADES

Czech Republic – DPA RATING ***
The Office for Personal Data Protection
Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
e-mail: posta@uoou.cz
Website: http://www.uoou.cz/
Art 29 WP Member: Ms Ivana JANŮ, President of the Office for Personal Data Protection
Art 29 WP Alternate Member: Mr Ivan PROCHÁZKA, Adviser to the President of the Office

Denmark – DPA RATING ***
Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
e-mail: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/
Art 29 WP Member: Ms Cristina Angela GULISANO, Director, Danish Data Protection
Agency (Datatilsynet)
Art 29 WP Alternate Member: Mr Peter FOGH KNUDSEN, Head of International Division at
the Danish Data Protection Agency (Datatilsynet)

Estonia – DPA RATING ***
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137
e-mail: info@aki.ee
Website: http://www.aki.ee/en
Art 29 WP Member: Mr Viljar PEEP, Director General, Estonian Data Protection
Inspectorate
Art 29 WP Alternate Member: Ms Maarja Kirss

Finland – DPA RATING ***
Office of the Data Protection Ombudsman
P.O. Box 315
FIN-00181 Helsinki
Tel. +358 10 3666 700
Fax +358 10 3666 735
e-mail: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/
Art 29 WP Member: Mr Reijo AARNIO, Ombudsman of the Finnish Data Protection
Authority
Art 29 WP Alternate Member: Ms Elisa KUMPULA, Head of Department

France – DPA RATING ***
Commission Nationale de l’Informatique et des Libertés – CNIL
8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Website: http://www.cnil.fr/
Art 29 WP Member: Ms Isabelle FALQUE-PIERROTIN, President of CNIL
Art 29 WP Alternate Member: Ms Florence RAYNAL

Germany – DPA RATING ***
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
e-mail: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/
The competence for complaints is split among different data protection supervisory
authorities in Germany. Competent authorities can be identified according to the list provided under https://www.datenschutz-wiki.de
Art 29 WP Member: Ms Andrea VOSSHOFF, Federal Commissioner for Freedom of
Information
Art 29 WP Alternate Member: Prof. Dr. Johannes CASPAR, representative of the federal
states

Greece – DPA RATING ***
Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
e-mail: contact@dpa.gr
Website: http://www.dpa.gr/
Art 29 WP Member: Mr Konstantinos Menoudakos, President of the Hellenic Data
Protection Authority
Art 29 WP Alternate Member: Dr.Vasilios ZORKADIS, Director

Hungary – DPA RATING ***
National Authority for Data Protection and Freedom of Information
Szilágyi Erzsébet fasor 22/C
H-1125 Budapest
Tel. +36 1 3911 400
e-mail: peterfalvi.attila@naih.hu
Website: http://www.naih.hu/
Art 29 WP Member: Dr Attila PÉTERFALVI, President of the National Authority for Data
Protection and Freedom of Information
Art 29 WP Alternate Member: Mr Endre Győző SZABÓ Vice-president of the National
Authority for Data Protection and Freedom of Information

Ireland – DPA RATING ***
Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
e-mail: info@dataprotection.ie
Website: http://www.dataprotection.ie/
Art 29 WP Member: Ms Helen DIXON, Data Protection Commissioner
Art 29 WP Alternate Members: Mr John O’DWYER, Deputy Commissioner; Mr Dale
SUNDERLAND, Deputy Commissioner

Italy – DPA RATING ***
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
e-mail: garante@garanteprivacy.it
Website: http://www.garanteprivacy.it/
Art 29 WP Member: Mr Antonello SORO, President of Garante per la protezione dei dati
personali
Art 29 WP Alternate Member: Ms Giuseppe BUSIA, Secretary General of Garante per la
protezione dei dati personali

Latvia – DPA RATING ***
Data State Inspectorate
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
e-mail: info@dvi.gov.lv
Website: http://www.dvi.gov.lv/
Director: Ms Daiga Avdejanova
Art 29 WP Alternate Member: Ms Aiga BALODE

Lithuania – DPA RATING ***
State Data Protection
Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
e-mail: ada@ada.lt
Website: http://www.ada.lt/
Art 29 WP Member: Mr Algirdas KUNČINAS, Director of the State Data Protection
Inspectorate
Art 29 WP Alternate Member: Ms Neringa KAKTAVIČIŪTĖ-MICKIENĖ, Head of
Complaints Investigation and International Cooperation Division

Luxembourg – DPA RATING ***
Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
e-mail: info@cnpd.lu
Website: http://www.cnpd.lu/
Art 29 WP Member: Mr Christophe BUSCHMANN, President of the Commission Nationale
pour la Protection des Données and deputy member for Luxemburg in the Art 29 WP and
member of the Technologies Subgroup
Art 29 WP Alternate Member: Mr Thierry LALLEMANG, Commissioner

Malta – DPA RATING ***
Office of the Data Protection Commissioner
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
e-mail: commissioner.dataprotection@gov.mt
Website: http://www.dataprotection.gov.mt/
Data Protection Commissioner: Mr Joseph Ebejer
Art 29 WP Member: Mr Saviour CACHIA, Information and Data Protection Commissioner
Art 29 WP Alternate Member: Mr Ian DEGUARA, Director – Operations and Programme
Implementation

Netherlands – DPA RATING ***
Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
e-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl/nl
Art 29 WP Member: Mr Aleid WOLFSEN, Chairman of Autoriteit Persoonsgegevens

Poland – DPA RATING ***
The Bureau of the Inspector General for the Protection of Personal Data – GIODO
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441
e-mail: kancelaria@giodo.gov.pl; desiwm@giodo.gov.pl
Website: http://www.giodo.gov.pl/
Art 29 WP Member: Ms Edyta BIELAK-JOMAA, Inspector General for the Protection of
Personal Data

Portugal – DPA RATING ***
Comissão Nacional de Protecção de Dados – CNPD
R. de São. Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
e-mail: geral@cnpd.pt
Website: http://www.cnpd.pt/
Art 29 WP Member: Ms Filipa CALVÃO, President, Comissão Nacional de Protecção de
Dados
Art 29 WP Alternate Member: Isabel CRUZ, Secretary-General of the DPA

Romania – DPA RATING ***
The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 21 252 5599
Fax +40 21 252 5757
e-mail: anspdcp@dataprotection.ro
Website: http://www.dataprotection.ro/
President: Mrs Ancuţa Gianina Opre
Art 29 WP Member: Ms Ancuţa Gianina OPRE, President of the National Supervisory
Authority for Personal Data Processing
Art 29 WP Alternate Member: Ms Alina SAVOIU, Head of the Legal and Communication
Department

Slovakia – DPA RATING ***
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
e-mail: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/
Art 29 WP Member: Ms Soňa PŐTHEOVÁ, President of the Office for Personal Data
Protection of the Slovak Republic
Art 29 WP Alternate Member: Mr Anna VITTEKOVA, Vice President

Slovenia – DPA RATING ***
Information Commissioner
Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
e-mail: gp.ip@ip-rs.si
Website: https://www.ip-rs.si/
Art 29 WP Member: Ms Mojca PRELESNIK, Information Commissioner of the Republic of
Slovenia

Spain – DPA RATING ***
Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
e-mail: internacional@agpd.es
Website: https://www.agpd.es/
Art 29 WP Member: Ms María del Mar España Martí, Director of the Spanish Data
Protection Agency
Art 29 WP Alternate Member: Mr Rafael GARCIA GOZALO

Sweden – DPA RATING ***
Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
e-mail: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/
Art 29 WP Member: Ms Kristina SVAHN STARRSJÖ, Director General of the Data
Inspection Board
Art 29 WP Alternate Member: Mr Hans-Olof LINDBLOM, Chief Legal Adviser

United Kingdom – DPA RATING ***
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
e-mail: international.team@ico.org.uk
Website: https://ico.org.uk
Art 29 WP Member: Ms Elizabeth DENHAM, Information Commissioner
Art 29 WP Alternate Member: Mr Steve WOOD, Deputy Commissioner

EUROPEAN FREE TRADE AREA (EFTA)

Iceland – DPA RATING ***
Icelandic Data Protection Agency
Rauðarárstíg 10
105 Reykjavík
Tel. +354 510 9600; Fax +354 510 9606
e-mail: postur@personuvernd.is

Liechtenstein – DPA RATING ***
Data Protection Office
Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
e-mail: info.dss@llv.li

Norway – DPA RATING ***
Datatilsynet
The Data Inspectorate
P.O. Box 8177 Dep
0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
e-mail: postkasse@datatilsynet.no
Data Protection Authority: Mr Bjørn Erik THORN

Switzerland – DPA RATING ***
Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Hanspeter THÜR
Feldeggweg 1
3003 Bern
Tel. +41 31 322 4395; Fax +41 31 325 9996
e-mail: contact20@edoeb.admin.ch

 

* Please note the ratings is not final, we have by default given 3 Stars to each of them, when the questions have been answered, we will do the final rating between 1-5 Stars depending on how serious each DPA is handling GDPR!

The final rating will be released in an international press released in June 2018