The German Data Protection Commissioner has issued an update on her view regarding the CJEU’s decision on Safe Harbor and its consequences. The paper states that transfers on the basis of model clauses or binding corporate rules are also in question. German Data Protection Authorities will exercise their powers of audit over data transfers based on model clauses and will not currently grant any new authorisations for data transfers to the US based on binding corporate rules or ad hoc data export agreements. The Commissioner has noted that transfers may be based on consent but not if repeated in large numbers or routinely, and consent to transfer employee data will only be a valid basis for data transfers in exceptional cases. The German Data Protection Commissioner also reiterated that transfers based solely on the Safe Harbor regime are prohibited.

Position paper (in German)