Audit Preparation Supervisory Authority: 10-Point Checklist
TL;DR
- Single point of contact: One compliance officer coordinates all audit interactions to prevent contradictory statements
- Documentation packs: RoPA, DPAs, DPIAs, TOM concept, training logs, breach logs ready in digital + paper form
- Cooperation cuts fines 30-60%: Per Art. 83(2) GDPR, fully cooperative behavior plus immediate corrective measures
- Employee briefing matters: Truthful but no self-incrimination; "I don't know, the compliance officer can answer" is a valid response
- Post-audit follow-up: Lessons learned within 14 days, action plan, proactive communication where helpful
1. Documentation collection ready to hand
RoPA (Records of Processing), DPAs, DPIAs, TOM concept, training log, breach log, incident response plan, prior audit reports. Both digital and paper formats. Some authorities still require hard copies. Updated to within 90 days. Retention 6-10 years after case closure.
2. Compliance officer as single point of contact
One person coordinates all audit requests. This prevents contradictory statements between departments. The compliance officer triages questions, retrieves documents, and escalates when legal advice is needed.
3. Legal counsel on site
For on-site audits: external counsel present. Counsel safeguards procedural rights, advises on declarations, and ensures the company is not bound by hasty oral statements. Cost: 200-400 EUR per hour, but routinely pays for itself in reduced fines.
4. Employee briefing
Brief staff on "What do I say in an audit?": the truth, but no self-incrimination. When uncertain: "I don't know, the compliance officer can answer." Avoid coaching with prescribed answers (could constitute obstruction of justice). Instead: realistic training on conduct standards.
5. Physical setup
Conference room with projector or screen, Wi-Fi for the auditor, refreshments. Separate room for employee interviews (away from supervisors to prevent perceived pressure).
6. Management presence
Management presence is usually not required, but advisable for critical topics or where decisions on remediation budget are needed. The managing director should be reachable on short notice.
7. Communication style
Factual, cooperative, precise. Not defensive, not aggressive. Cooperative behavior reduces fines by 30-60% under Art. 83(2) GDPR. Combined with immediate corrective action (close gaps, run training): another 20-30% reduction.
8. Employee interviews
The supervisory authority may interview employees under Section 40 BDSG (German Federal Data Protection Act) or Section 51 ECG (Austrian E-Commerce Act). Compliance officer or counsel may attend. Interview minutes should be reviewed and signed by the employee.
9. Document the audit yourself
Keep your own minutes. Which questions were asked? Which documents were handed over? When was what said? Critical for follow-up and any later dispute about the audit's scope.
10. Post-audit follow-up
Within 14 days: lessons learned, action plan with owners and deadlines, where appropriate proactive notification to the supervisory authority of remediation steps. Good follow-up turns a difficult audit into a credibility builder.
Summary
Supervisory authority audits do not have to be confrontational. With a single point of contact, complete documentation packs, briefed employees, and a cooperative tone, even sensitive cases produce manageable outcomes. The 30-60% fine reduction lever for cooperation under Art. 83(2) GDPR is real and well documented in case practice. Combine that with thorough preparation and the audit becomes manageable.
View Compliance-Kit overview →
Frequently Asked Questions
What should I do when the supervisory authority calls?
Immediate actions within 24-48h: 1) Do not take the call yourself — forward it to the compliance officer or lawyer. 2) Request a written inquiry (what, why, deadline). 3) Note protocol of the phone call — exact wording if possible. 4) Request legal counsel (even if no lawsuit is threatened — preventively). 5) Alert the internal compliance team — preserve evidence of relevant documents. 6) Inform management — ad-hoc meeting within 24h. Most common mistake: spontaneous verbal statements on the phone — they can become binding. Golden rule: 'We will gladly respond in writing after consultation.'
Which documents should be readily available?
Audit documentation packages by compliance area: GDPR: record of processing activities (ROPA), data processing agreements (DPAs), DPIAs, TOM concept, training logbook, data breach logbook, DPO appointment. NIS2: ISMS policies, risk register, IRP, BCM plan, asset inventory, patch logs, supplier audits. AI Act: AI inventory, AI literacy training records, FRIAs (from 12/2027), AUP. German Whistleblower Protection Act (HinSchG): reporting office appointment, procedural rules, audit report Section 22, confidentiality concept. AGG (German General Equal Treatment Act): complaints office documentation, selection score sheets, bias tests. Format: digital + paper (some supervisory authorities require paper copies). Updated to <90 days status. Retention: 6-10 years after case closure.
How can I achieve a fine reduction through cooperation?
Practical reduction levers (Art. 83(2) GDPR): 1) Self-disclosure before supervisory authority inquiry — reduction 30-60%. 2) Cooperative fact-finding (all documents voluntarily) — 20-40%. 3) Immediate corrective measures (e.g. close the gap, catch up on training) — 20-30%. 4) Existence threat argument (Art. 83(2)(k)) — 10-50% in case of demonstrable economic hardship. 5) First-time offense + no prior record — 10-20%. Maximum reduction with a cooperative approach: 60-80% of the original fine demand. Caution: only with legal counsel — self-incriminating statements can have adverse effects.
Should I allow employee interviews during an on-site audit?
Legally mandatory: the supervisory authority may interview employees pursuant to Section 40 BDSG / Section 51 ECG. Practical considerations: 1) Train employees before the audit appointment ('What do you say during questioning?' — the truth, but no self-incrimination). 2) The compliance officer / lawyer may be present during questioning (right of the employee + the employer). 3) Interviews in a neutral room — not in the presence of supervisors (protection from pressure). 4) Have the interview protocol reviewed and signed by the employee. 5) For sensitive answers: 'I don't know, the compliance officer can answer.' Critical: no 'coaching' preparation with directives — this can constitute obstruction of justice. Instead: realistic training on conduct standards.
Sources
- Regulation (EU) 2016/679 (GDPR) — Art. 83 fining factors (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) — Section 40 (As of: 2026-05-02)
- EDPB Guidelines 04/2022 — calculation of administrative fines (As of: 2026-05-02)