The authority can demand access to all information that is necessary for the fulfilment of their tasks, can point out putatively offences against the GDPR and can also prohibit a certain kind of processing.
The authority can ask for access to your records and can perform data protection audits on site.
In doing so, the authority also checks if
- the data is being processed accordingly to its purpose and fairly,
- the safety measures are state of the art,
- the staff handles data protection questions correctly,
- there are processes for the deletion of no longer needed data,
- … .