500 German companies will be asked in the coming weeks by 10 German data protection authorities (“DPAs”) to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.

Background of the enquiry

The DPAs recognize a “massive growth” in trans-border flows of personal data, in part due to the use of cloud services. Many small- and medium-sized companies are processing employee, job applicant, and customer data on servers located outside of the European Union, or they are using Software-as-a-Service solutions. The DPAs’ past experience shows that many companies are not aware of the privacy law requirements for the use of such services, in particular the need to ensure an adequate level of data protection for each transfer of personal data to third countries. In order to create more “sensitivity” for compliance in this regard, companies will be asked to give specific answers about products and services from providers outside the EU or EEA.

The questionnaire

The questions cover intra-group transfers, remote software support, travel management, customer relationship management, marketing, recruiting, skill databases, cloud storage, email and newsletter services, communication services, office cloud, chat or messaging, quality management, and compliance schemes. Companies are asked to identify the services used, and to state how an adequate level of data protection is secured. Both management and the in-house data protection officer are asked to confirm the accuracy of all answers by signing.

If the data are transmitted under the Privacy Shield, the company is asked whether it relied on a statement by the recipient, or verified the US Department of Commerce list. The company also has to state whether an in-house data protection officer is appointed, and if this is case, whether this person has been involved in the past on the issue of the lawfulness of the transfers.

The scope of the enquiry

The questionnaires will be sent to 500 companies selected randomly, but representative of different industries and company sizes. Out of the 500 companies, approximately 150 will be under the jurisdiction of the Bavarian DPA. Once the answers are received by the DPAs, the completed questionnaires will be evaluated, and if considered necessary, the DPAs will start a “more thorough investigation”.

Legal background to international data transfers

For any transfer of personal data to another group company or a third party recipient, including service providers, the EU data controller must ensure an adequate level of data protection. This can be achieved by the recipient’s country being recognized as having such adequate level (like Switzerland) or by other means like Privacy Shield, Standard Contractual Clauses, or the use of BCR.

Practical advice

If a company receives the questionnaire, utmost importance should be given to appropriately handling it.

The use of written questionnaires is not uncommon for German DPAs. Similar probes were used after the invalidation of Safe Harbor, but on a smaller scale. Past experience shows that the DPAs used “wrong” answers to start investigations of the respective companies. Such investigations even lead to administrative fines against non-compliant companies. Fines up to EUR 300,000 are possible under German law.

The same has to be expected in this case. The questionnaire needs to be carefully reviewed, and answers should also consider that the DPAs will cross-check the replies by the 500 companies, and compare and evaluate the use of certain products and services.

The official press release and questionnaire (in German), are available here: https://www.lda.bayern.de/de/international_audit.html.