Who supervises Article 30 RoPA compliance in Germany — the BfDI or a Landesdatenschutzbehörde?
Both, by remit. The BfDI supervises at federal level, and the 17 Landesdatenschutzbehörden supervise at state level — for most private companies, the data protection authority of the Land where the company is established is the competent supervisor and the body that would request the Verzeichnis von Verarbeitungstätigkeiten in an audit. The authorities coordinate their expectations through the Datenschutzkonferenz (DSK), whose Kurzpapiere set the form German reviewers expect. Acompli records the competent supervisory authority per legal entity, so a group with entities in several Länder, Ireland and the UK exports each register in the format its own authority — Landesdatenschutzbehörde, DPC or ICO — expects.