The State Data Protection Inspectorate (SDPI), in exercising its functions as the supervisory authority for the protection of personal data as provided for in the General Data Protection Regulation (GDPR), has planned to carry out 16 planned inspections and 10 monitoring visits in 2024 in planned organisations in both the public and the private sector.

Through the planned inspections and monitoring, the supervisory authority learns about the actual personal data processing activities in the organisations inspected, aims to identify risks and help organisations to improve. The DPAA chooses to review the activities of only a few organisations in the sector, but it is important to note that the results of the inspections are not only relevant for the inspected organisation, but also for others in the sector. Once the inspections are completed, the supervisory authority prepares and publishes a summary of the inspections, which is made available to each organisation. This enables each sector to review its own performance on the basis of the results of the inspections.

In 2024, the DPAI has planned to monitor 10 organisations with regard to security measures, i.e. privileged access, destruction of personal data, use of encryption tools and change management.

The DPAI has also planned to re-inspect 6 organisations that have been inspected in previous years and where deficiencies have been identified and/or instructions have been issued. In 2024, follow-up will be carried out on the implementation of the instructions given and/or the rectification of deficiencies identified.

In 2024, 10 organisations have planned inspections on the enforcement of data subjects’ right of access. These are inspections in the Member States of the European Economic Community, initiated and coordinated by the European Data Protection Board (EDPS) and carried out by national supervisory authorities. These inspections will use questionnaires harmonised with the supervisory authorities. Read more in the EDPS News>>

On cooperation with the supervisory authority
It is important that the inspected organisations cooperate with the supervisory authority carrying out the inspections and monitoring. Any obstruction of the exercise of the rights or duties conferred on the staff of the DSAI by the legislation governing their activities, non-compliance with, or improper execution of, lawful instructions and requests, such as refusal to provide information, concealment of documents, avoidance of attendance and explanations, etc., will give rise to liability, i.e. failure to comply with an instruction from the DSAI or to grant access (Art. 58(1) GDPR) will give rise to liability for the inspected entity (Art. 83(5)(e) GDPR). Please note that in 2023, out of the 13 fines imposed, as many as 6 fines (totalling EUR 21 360) have been imposed by the DSAI for non-compliance with the supervisory authority’s instructions.