In a coordinated written audit, 10 German data protection supervisory authorities will review the transfer of personal data to countries outside the EU in the coming weeks. 500 companies were selected on a random basis by the data protection supervisory authorities to be audited. The data protection supervisory authorities made sure to include companies of various sizes and different sectors in the audit.

Ten German data protection supervisory authorities are involved in the audit in the states of Bavaria, Berlin, Bremen, Hamburg, Lower Saxony, Mecklenburg-Western Pomerania, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, and Saxony-Anhalt.

Background of the investigation by the data protection supervisory authorities

According to the data protection authorities involved, it is a key objective of the audit to raise awareness among companies with regard to data transfers to countries outside the European Union. In order to make it easier for companies to find such data transfers, they are also specifically asked for the use of products and services provided by external providers that are associated with the transfer of personal data to non-EU countries.

Requested information

In a standardized questionnaire, companies are asked to provide comprehensive information on the transfer of personal data to the U.S. and other third countries. The questionnaire on international data transfer of the Bavarian State Office for Data Protection Supervision can be accessed here or on the website of the supervisory authority at https://www.lda.bayern.de/en/international.html.

Practical tip:

If companies intend to transfer personal data to the U.S. or to other third countries, they must first review whether it can be ensured at all that the data will remain adequately protected even after the transfer. Otherwise, no transfer of personal data to third countries will be permitted. The audited companies are requested to indicate on which basis of data protection law the transfers are made, such as whether an adequate data protection level is recognized for the target country by decision of the European Commission (e.g., the “EU-US Privacy Shield”), whether EU standard contractual clauses or binding corporate rules (BCR) can be used as basis of the data transfer, or whether the transfer can be based on the consent of the data subjects.

Experience in comparable audits has shown that responses to the audit questions should be given within the period set, and the information should be very carefully selected. Otherwise, unnecessary additional questions from the auditing supervisory authority may follow. Inadequate or incorrect information may be punished with administrative orders and fines of up to EUR 300,000.00.