Following the decision that invalidated the Safe Harbor agreement (refer to our two most recent newsletters), media reports indicate that the supervisory authorities have likely reached a compromise regarding the transfer of data to the United States:

In contrast to previous statements issued by the data protection supervisory authority for Schleswig Holstein (“ULD”), it recently declared that it considers data transfers to the Uni- ted States to be invalid even if EU standard contractual clauses or binding corporate rules and consent from the affected parties are used to provide additional security: (https://www. Urteil.pdf).

The data protection supervisory authorities for Hesse and Bavaria, on the other hand, as- sert that the EU standard contractual clauses may be “under investigation”, but are not excluded as instruments in this context ( htm#entry4518, Stand 13.10.2015).

Recent media reports indicate that the German data protection supervisory authorities have now reached a compromise on this matter, according to which data transfers to the United States will be considered valid on a provisional basis if EU standard contractual clauses and binding corporate rules are used. This matter should be settled by the end of January 2016. Until that time, no steps will be taken against affected companies.

Until the supervisory authorities come to agreement, the EU Art. 29 Data Protection Wor- king Party will also consider data transfers valid on a provisional basis if EU standard contractual clauses and binding corporate rules are applied (refer to http://ec.europa. eu/justice/data-protection/article-29/press-material/press-release/art29_press_materi- al/2015/20151016_wp29_statement_on_schrems_judgement.pdf).

For the time being, the following should be taken into consideration (as we have recom- mended in the past):

  • Agree upon the inclusion of the relevant and suitable EU standard contractual clauses also for existing data recipients currently registered under the Safe Harbor agreement. In the event of commissioned data processing, the ten (10) requirements stipulated in Sec. 11 of the German Federal Data Protection Act (BDSG) should also be observed.
  • Adjust binding corporate rules that do not provide for such.
  • Also, adjust any deviating company agreements.