International data transfers: German supervisory authorities announce audits following “Schrems II”

Following the judgment of the European Court of Justice in the “Schrems II” matter in July 2020, it was clear that the “Privacy Shield” agreement could no longer be used to justify data transfers from the EU to the US. As a result, thousands of businesses throughout the EU faced the task of legally structuring their international data transfers (not only) to the US. There was no transition period, but the supervisory authorities had not yet taken action.

On 1 June, however, the German data protection authorities have announced concerted audits on the correct implementation of the “Schrems II” judgment and published questionnaires for this purpose, which will be sent to businesses over the next few weeks – and which could form the starting point for corresponding audit and, possibly, fines.

1.    What are the requirements for international data transfers under the GDPR?
With regard to the requirements of the GDPR for international data transfers, a distinction must be made between two “steps”:

  • Legal basis for the data transfer: The “first step”, international data transfers – like all other data transfers – requires a legal basis under art. 6 GDPR. The most relevant legal bases in practice are the consent of the data subject to the transfer, the necessity of the data transfer for the performance of a contract with the data subject, and data transfers based on the legitimate business interests of the controller. 
  • Safeguards to ensure data security: In addition, data transfers to countries for which there is no adequacy decision by the EU Commission (e.g. the US or the UK), require “appropriate safeguards” under art. 46 GDPR, which aim to ensure a level of data protection at the data recipient comparable to that in the EU (the “second step”). In practice, so-called standard contractual clauses between the data exporter and the data importer are the usual choice here.

    However, at the “second step”, it must be noted that the ECJ’s “Schrems II” judgment explicitly emphasised that each individual international data transfer requires a so-called risk assessment discussing whether additional safeguards are necessary to ensure an appropriate level of data security. This is regularly the case with data transfers to the US.

    The European Data Protection Board has published recommendations on these “additional safeguards”, which, however, are of little help when making decisions on individual cases. The new version of the standard contractual clauses, which was published today, does not resolve this issue either.

2.    German supervisory authorities plan to audit international data transfers

While the German data protection authorities had exercised restraint around the “Schrems II” matter until now, the “grace period” has apparently expired now. According to a press release from the Berlin Commissioner for Data Protection and Freedom of Information of 1 June, the German supervisory authorities are planning to send jointly developed questionnaires to selected businesses. It is therefore advisable to prepare for a possible audit. In the following, we will highlight the key issues at stake.

3.    The questionnaires

The supervisory authorities of the German Länder have drafted a set of questionnaires to audit the implementation of the “Schrems II” judgment in businesses. Whether all 19 German data protection supervisory authorities will participate in these audits, is currently unknown. So far, the supervisory authorities of the following Länder have announced their participation:

  • Baden-Württemberg
  • Bavaria
  • Berlin
  • Brandenburg
  • Hamburg
  • Lower Saxony
  • Reinland-Pfalz
  • Saarland

Each supervisory authority will individually decide on which of the subject areas listed below it will conduct audits and whether the questionnaires will be adapted locally. The variants used in Hamburg are available on the website of the Hamburg Commissioner for Data Protection and Freedom of Information.
The questionnaires cover the following topics:

  • services for sending emails
  • website hosting providers
  • web tracking services
  • management of job applicant data
  • intra-group exchange of customer and employee data
  • Depending on the subject matter, the following questions will be asked:
  • Which service providers are used?
  • Does the service provider act as (independent) controller, joint controller, or processor?
  • Where are the servers located?
  • How long have you been using the service provider?
  • What categories of personal data are being processed?
  • What is the legal basis for the data processing (“first step”)?
  • Is there a data transfer to a third country?
  • On which “safeguards” (e.g. standard contractual clauses) is the international data transfer based (“second step”)?
  • Has a risk assessment been carried out for the international transfer of data?
  • Have additional safeguards been implemented?
  • Are you planning to switch to a different (European) solution?
  • Is there a compliant register of processing activities?

4.    The core of the matter: “additional safeguards” and “risk assessments”

A first example has already been set: On 10 March, the Bavarian State Office for Data Protection Supervision (BayLDA) ordered an online retailer to stop using the US-based newsletter service provider Mailchimp. In the BayLDA’s view, before transferring the email addresses of its newsletter recipients, the business should have carried out a risk assessment to determine whether, in addition to the standard contractual clauses (contained in Mailchimp’s terms), additional safeguards to ensure an adequate level of data security should have been implemented and contractually agreed with the provider. This was not the case, as the business had simply trusted in the legality of the much-used service. Moreover, Mailchimp does not offer – as some other cloud services do – a “European solution” where the data remains in the EU.

The fact that every business must now check the corporate seat and server location for all online services used and, after carrying out a specific risk assessment, agree on and implement individual additional safeguards with the provider is of course practically inconceivable. The bureaucratic effort associated with this model – also called “Standard Contractual Clauses Plus” – is enormous. Those who shy away from it must switch to a European solution – or accept the risk of a fine:

5.    Possible consequences for businesses

In the “Schrems II” judgment, the ECJ emphasised that supervisory authorities must prohibit unlawful international data transfers. It can be assumed that the data protection authorities will work towards suspending any transfer where the lawfulness is ambiguous. However, further supervisory measures may also be taken: Taking into account the time since the ECJ’s decision in which businesses had the opportunity to restructure their data transfers in a compliant manner (or suspend them), it can be assumed that the first fines for non-compliance with the “Schrems II­” judgment ­will be imposed in the near future.

We strongly advise that you check the lawfulness of your current international data transfers. Please do not hesititate to contact us for advice and, if necessary, our assistance in carrying out the documented risk assessment required by the supervisory authorities if the only currently available alternative –switching to a European solution – is not an option. 
 Dr. Lukas Mezger, Dr. Frank Eickmeier, UNVERZAGT Rechtsanwälte

Your Contact to ePrivacy: