Client Alert: German DPAs start data transfer enforcement

Introduction

Yesterday a number of German Data Protection Authorities joined together to launch a new initiative to gather data as the prelude to possible enforcement activity on data transfer after last year’s Schrems ruling which set limits on Standard Contractual Clauses (SCCs).  The questionnaire is detailed and requires answers a number of questions on how the organisation transfers data.  It is likely to lead to a concerted effort in Germany to enforce GDPR rules on data transfer.

What is the background?

Last year the ECJ invalidated the EU-US Privacy Shield and set limits on the use of SCCs when transferring data outside the EEA.  There is some background on the case and the consequences here, including a short film explaining the issues https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/.

The issues with data transfer are one of the 5 trends from the first 3 years of GDPR enforcement which we spoke about in our film here https://www.corderycompliance.com/gdpr-key-trends-3-years/.

Who is behind this enforcement activity?

The initiative has the support of a number of German DPAs.  One of the most outspoken on data transfer has been Dr. Johannes Caspar, the DPA in Hamburg.  Dr. Caspar was responsible for German’s highest GDPR fine to date of around €35.3m against H&M last year (see https://www.corderycompliance.com/hmbbfdi-fines-hm-for-gdpr-violations/).  He was also responsible for enforcement activity in 2016 after the collapse of Safe Harbor, the predecessor to Privacy Shield (see https://www.corderycompliance.com/more-safe-harbor-enforcement-fines-for-three-multinational-companies/).  Dr. Caspar has said that the goal is to “broadly enforce” the requirements of the ECJ in last year’s decision.  Other DPAs in Germany are engaged on this issue too however – for example the Bavarian DPA has taken action already against the use of Mailchimp.

What does the questionnaire ask?

There are 5 questionnaires in total dealing with different processing activities.  The questionnaires cover:

1. the use of service providers for sending e-mails
2. the use of service providers for web hosting
3. online tracking
4. job applicant data
5. intra-group data transfers

The list of questions covers all sorts of data transfers including:

• intra-group transfers (e.g. to a parent company in the US)
• third-party providers such as e-mail services, web hosting platforms and services for web tracking or managing applicants’ data
• the exchange of customer data and employee data within companies

In addition there are questions on:

• the frequency of data transfers (including intra-group)
• where servers are based
• which personal data an external hosting platform can have access to
• the legal bases for all transfers
• the format of any SCCs used
• the due diligence done prior to signature
• whether you or a data importer might be subject to US surveillance laws
• the steps you take to keep up to date with developments and make changes where necessary
• whether data is encrypted

The DPAs also request a copy of GDPR Art. 30 records showing the data transfers which are taking place.

What happens next?

Enforcement remains with each individual German DPA.  They will decide on their own enforcement priorities.  We have seen previously that some DPAs within Germany are more aggressive than others and that’s likely to remain the case here too.

At an EU level we’re waiting for new SCCs to be finalised.  That may well happen this month.   There’s some background on that here https://www.corderycompliance.com/edpb-approves-uk-ddpad/.

Some DPAs are already enforcing the ECJ’s decision – for example with the suspension of data transfers to Cloudflare by the Portuguese DPA last month – https://www.corderycompliance.com/cnpd-enforces-schrems3/. Data transfer has also been a feature of recent French cases including the fines of  €2.25 million for Carrefour and €800,000 for Carrefour Banque (see https://www.corderycompliance.com/french-dpr-fine-for-dtt-non-compliance/).

 

What should you do now?

If you have received a questionnaire you should consider carefully how you respond.  It is likely that you will want specialist legal assistance especially with providing answers to questions asking the legal basis of transfers.

Whether or not you have received a request you might want to consider:

1. Getting ready for requests for information from DPAs. Some DPAs outside Germany may copy this exercise too.  Make sure that regulatory requests in your organisation are always escalated and dealt with properly.
2. Thinking about how you transfer data. If you previously relied on Privacy Shield you will need to look at another plan – but other options like SCCs or Binding Corporate Rules (BCRs) are not likely to be a perfect solution either.
3. It is also important to look carefully at who you do business with. We’ve spoken before of a double-due diligence test – make sure you’ve done due diligence on who you are sending data too and where you are sending it.  You might need to show this due diligence to a DPA or to a court so make sure your process will stand up to scrutiny.
4. In a post-GDPR world employees and customers are likely to ask questions about the way in which you make data transfers lawful. Be ready for their questions. Some prepared FAQs may help your HR team and contact centres respond to these questions. Works councils are also asking questions too.
5. Look at your transparency obligations. Some large organisations still refer to Privacy Shield in their privacy policies. They are leaving themselves open to civil action as well as enforcement action (like for example the Amazon case here https://www.corderycompliance.com/munich-privacy-shield-action/).  You might need to alter other documents too including internal notices to employees and GDPR Article 30 records.

Further information

There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service.  GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply.  More details are at www.bit.ly/gdprnav.

There are details of the Mailchimp case here https://bit.ly/32vW2pD

Dr. Caspar’s announcement is here https://bit.ly/3i7RgYt

The specimen questionnaires can be downloaded here https://bit.ly/3wODNbS

There is more information on individual DPA websites as follows:

Bavaria https://www.lda.bayern.de/media/pm/pm2021_03.pdf

Berlin https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2021/20210601-PM-Schrems_II_Pruefung.pdf

Brandenburg https://www.lda.brandenburg.de/lda/de/service/presseinformationen/details-presse/~01-06-2021-koordinierte-pruefung-internationaler-datentransfers

Hamburg https://datenschutz-hamburg.de/pressemitteilungen/2021/06/2021-06-01-fragebogen-datentransfer

Lower Saxony https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/landesdatenschutzbehorden-kontrollieren-umsetzung-des-eugh-urteils-schrems-ii-in-unternehmen-200860.html

Rhineland-Palatinate https://www.datenschutz.rlp.de/de/aktuelles/detail/news/detail/News/koordinierte-pruefung-internationaler-datentransfers/

Saarland https://www.datenschutz.saarland.de/datenschutz/aktuelles/detail/presseinformation-koordinierte-pruefung-internationaler-datentransfers-laenderuebergreifende-kontrolle-der-datenschutzaufsichtsbehoerden-von-unternehmen-zur-umsetzung-der-schrems-ii-entscheidung-des-europaeischen-gerichtshofs

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH		André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784		Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com		Andre.bywater@corderycompliance.com