Because only those who actively engage with the situation and take a look behind the scenes can achieve improvement.



A regular data protection audit is useful for the controller, because it is an appropriate control measure by means of which compliance with the legal requirements is determined and documented.

All employees who have access or may have access to personal data should at least receuve regular data protection trainings. New employees should step by step be committed to the confidentiality, when they join the enterprise. Retiring employees are obligated to hand over all equipment and documents containing personal data over to another person, who is committed to data secrecy.

In order to support the data protection officer of an enterprise and to document the implementation of the legal requirements in the independent manner, the German Association for Data Protection advises on internal data protection audits.


A data protection audit is used to review which employees of the controller come into contact with personal data, how it occurs and how the processing of personal data is carried out. Compliance with legal requirements is regarded. However, an audit examination usually involves further work steps.

1. Identification

Collection of information and analysis of the data processing procedures

2. Classification

Data classification according to the legal nature of the data

3. Review & Recommendation

For better protection of personal data and informations

1. Identification

The first step in a data protection audit is the identification of the data available to the controller. However, in corporations or groups of companies it is important to first identify the controller.

The data protection auditors of the German Association for Data Protection examine the procedures and document the enterprise-related processes. The data processing systems in use at the enterprise are checked and documented in the audit documentation. A detailed analysis of the data processing is carried out by interviewing the employees and, if necessary, the members of the employee’s representation. The findings are documented.

An anonymous enterprise-wide survey gives our data protection auditors an even clearer understanding of the data use and the storage processes of the controller. Employees are also questioned whether they have understood and observed the data protection guidelines.

2. Classification

A subsequent data classification allows the controller to use resources efficiently and to place special data requiring special protection under special protection.

The following data classification allows the controller, inter alia, to use resources more efficiently and to secure sensitive data.

It is also possible to distinguish between the legally protected (personal) data and other data. By categorizing the data, IT departments are able to protect the processed data even better. You can use personnel and financial resources more precisely. Unused data may be identified and erased for reasons of cost optimization and the principle of data minimisation.

In our audit report, our auditors also examine whether the existing data protection guidelines for the classification of data are observed by the employees of the controller.

3. Review & Recommendation

The auditors of the German Association for Data Protection shall review whether the data protection guidelines and procedures are appropriate and proportionate, and whether these have been correctly implemented by the controller

The basic data protection structure of the controller is going to be documented after complete examination. Consequently, recommendations for the protection of personal data are made, if this seems to be necessary to the auditors.

For example, as part of a data protection audit, the German Association for Data Protection examines the following facts:


How are people entitled to a data query identificated?


Are there any systems that prevent unauthorized access to data?


Is there a system that monitors access to data?


How are the privacy guidelines communicated?

An Extensive Examination will shed some light into the dark corners.