Supervisory authorities are starting to enforce GDPR requirements for international data transfers

The following topic should be on every company’s mind at the moment: With regard to the use of online tools by non-EU service providers we can currently perceive an increased activity of the supervisory authorities. To reduce your risk of a fine, we recommend that you take certain necessary steps now.

International data transfers: supervisory authorities have started enforcing “Schrems II”

Following the Austrian and the French DPAs, Italy’s Garante is now the third data protection authority in the EU to decide that the use of Google Analytics violates the GDPR. The idea is that Google, as a service provider, has not taken sufficient data security measures for the transfer of end user data to the United States. From our point of view, it is only a matter of time until a corresponding decision follows from Germany. This development is a consequence of the European Court of Justice’s “Schrems II” judgment and the position of the European Data Protection Board stating that personal data transfers may only be transferred to non-EU countries if a sufficient level of data protection is ensured. Specifically, in the case of the United States, this is currently simply not possible in practice (and a solution to this issue at a political level is unlikely in the medium term). The situation is identical for other jurisdictions such as Russia or China. Controllers not established in the EU are facing the same situation when obtaining data directly from data subjects, albeit for different legal reasons.

What you should do now to reduce your risk of a fine:

  1. Check which tools from US service providers you are using (e.g., Google Analytics or Mailchimp) – we can help you identify the relevant services.
  2. Where possible, switch to a GDPR-compliant provider – we are prepared to help you choose the best alternatives.
  3. Alternatively, reduce the amount of data that you share (for example, by installing a proxy server in the case of Google Analytics) – we can help you determine where such a solution is possible.

Please let us know if you have any further questions about this or if we can support you in any other way.