A Study on Corporate Compliance with Transparency Requirements of Data Protection Law

Abstract

Modern information systems reach a degree of complexity which is inscrutable for citizens. The transparency regulations of data protection law try to counteract this. However, it is unknown how effective these regulations are. To our knowledge, there is no convincing study on the state of corporate compliance with transparency regulations available. We set up a quantitative and qualitative study with a sample of 612 representative companies. We evaluated the transfer of per- sonal data, the compliance with transparency requirements on commercial e-mails, and the compliance with requirements derived from the right of access. In the pro- cess, we took advantage of automated analysis with e-mail honeypots but used also individual assessments of information provided by companies. We found out that most companies do not transfer personal data without consent. Requirements on commercial e-mails are fulfilled as well. However, the situation of the right of access is much worse. Most information provided by companies is insufficient.