According to the Law on Inspection Supervision, each authority responsible for inspection supervision is obliged to have a Plan of Inspection Supervision for every year, in which it stipulates which actions are going to be executed during the year, and every three months, each authority makes the Operation Plan of Inspection Supervision with specified action plans for the following period.
Before the inspection supervision, the Commissioner may send self-assessment checklists to companies to independently complete all questions related to personal data protection, based on which the Commissioner assesses the degree of risk and forms a plan for conducting inspections.
By analyzing the Plan of regular Inspection Supervision of the Commissioner for 2021, we can see various types of inspection supervision which are directed to different Controllers.
For example, the regular supervision conducted by the Commissioner in accordance with the Plan of Inspection Supervision may further be classified into:
- Planned supervision, with a focus on:
a) Ministries, cities, and provinces;
b) E-commerce stores.
- In addition to planned supervision, there are also, so-called, targeted supervisions, and if you belong to any of these categories you may be the first in line as a subject of supervision:
a) You have been identified as a critical or high-risk level, based on the analyzed self-assessment checklist ;
b) You have not filed the necessary self-assessment checklist.
In addition to the regular supervision, the Commissioner may conduct special inspection supervision based on both the official authority and proposals and complaints by third parties.
In the Commissioner’s statement made on November 12, 2021, the government authority sent the self-assessment checklists to over 1007 companies during 2021, after which he set that regular supervision will be conducted in 186 companies.
The Plan of Inspection Supervision in 2021 further states that the Commissioner conclusion based on the analysis of responses from the completed self-assessment checklists is that supervised entities do not fully understand the asked questions and do not know the legal terminology, even though the questions from the self-assessment checklists refer to the specific legal provisions.
The Commissioner further states in the Plan that from the responses of supervised entities, it can be concluded that a vast number of people do not have specific professional qualifications, nor professional knowledge and experience in the field of personal data protection.