The authority may request access to all information necessary for the performance of its tasks, may point out alleged violations of the GDPR and may also prohibit a certain type of processing.
The authority may inspect and conduct on-site data protection reviews.
Among other things, this involves checking,
- whether the data are processed in good faith in accordance with the purpose,
- whether the security measures are state of the art,
- whether employees are handling data protection issues correctly,
- Whether there are processes for deleting data that is no longer needed,
- … .