Data protection compliance: a call to action!

Coordinated enforcement audits 2026

The enforcement audits for 2026 will focus on controllers' compliance with the transparency and information obligations under Articles 12, 13 and 14 GDPR. The Austrian Data Protection Authority has announced that it will additionally audit the security of processing requirements under Article 32 GDPR, including the associated documentation obligations under Article 30 and, where applicable, the risk assessment under Article 35 GDPR. This means that compliance with the fundamental requirements of the GDPR will be the focus of this years' review:

1. The right to information and transparency are core elements of data protection and are fulfilled, in particular, through the preparation and conscientious, regular updating of privacy policies. Privacy policies must always be kept up to date by controllers and must contain current and complete information in accordance with Articles 13 and 14 GDPR. Data subjects must be informed of any material changes in the controllers' processing activities. In some cases, a mere update of the privacy policy is not sufficient.
2. The documentation obligation of controllers consists, in particular, of maintaining a record of processing activities pursuant to Article 30 GDPR. This record must also always be up to date and must fully reflect the controller's current data processing operations.
3. The processing security requirements concern technical and organisational measures (TOMs). These must be appropriately secure and must be regularly reviewed, improved and updated.
4. The risk assessment concerns, in particular, the obligation to carry out a data protection impact assessment if the conditions under Article 35 GDPR are met. If a data protection impact assessment is deemed not to be required, the decision-making process and its outcome must nevertheless be documented.

Specific to-dos

To be prepared for any (unannounced) audit by the data protection authority, the company's entire data protection documentation must be critically reviewed. It can be assumed that the authority will examine more closely any inconsistencies discovered, for example, during its review of the record of processing activities. Furthermore, data protection practices must reflect the requirements arising from the extensive data protection case law of recent years, including: (i) the tiered obligation to communicate specific recipient identities (CJEU 12 January 2023, C-154/21, Österreichische Post); (ii) stricter obligations regarding data transfers to third countries (CJEU 16 July 2020, C-311/18, Schrems II) and for the selection and documentation of legal bases (CJEU 4 July 2023, C-252/21, Meta Platforms); and (iii) stricter requirements regarding the position of the Data Protection Officer (Austrian DPA 16 October 2024, DSB-D550.769). In addition, all documents must be brought up to date and the actual processing activities must be accurately and completely reflected.

We would be pleased to assist you in implementing a legally compliant and comprehensive update of your data protection compliance and the related documentation.

author: Florian Terharen