Ten German data protection authorities (from Bavaria, Berlin, Bremen, Hamburg, Mecklenburg-Vorpommern, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, and Saxony-Anhalt) announced a coordinated investigation into data transfers to countries outside of the European Union (EU) and/or the European Economic Area (EEA). The authorities plan to contact about 500 randomly selected businesses of various sizes and from different sectors and ask them to complete a written questionnaire. The questionnaire prepared (in German) can be downloaded from the website of the Data Protection Authority of Bavaria for the Private Sector.
The authorities’ strong interest in data transfers to third countries is not surprising. On one hand, the use of cloud services (for example SaaS) has grown exponentially even in small and medium-sized businesses in recent years. On the other hand, international data transfers have been under strict scrutiny since the Safe Harbor decision of the European Court of Justice. Subsequent to the ECJ’s judgement, the Hamburg Commissioner for Data Protection and Freedom of Information had already imposed fines for data transfers that had taken place without a sufficient legal basis (press release only available in German).
Legal requirements for data transfers to third countries
For data transfers to countries outside of the EU/EEA, so-called third countries, two steps have to be considered. The first step concerns the question of whether there is a corresponding legal basis for the transfer – this requirement also applies to data transfers within Germany or the EU/EEA. In a second step, it is further necessary to check whether an adequate level of data protection is ensured in the country where the recipient is based. This is the case if the EU Commission adopted an adequacy decision for the country in question (e.g. such as for Argentina or Israel). The current list of “safe” third countries can be found here.
Data transfers to “unsafe” third countries
If the recipient is not located in such a country, alternative tools must be used to ensure an adequate level of data protection:
- Recipients in the US, since 1 August 2016, can register for the new EU/US Privacy Shield, the successor of the invalidated Safe Harbor system.
- In addition, the EU Standard Contractual Clauses of the EU Commission are available. They consist of currently three contract templates, which the so-called data exporter can conclude with the so-called data importer established in the third country.
If such clauses are used without further changes, the data transfer does not require a further permission from the data protection authorities (this might be different in other EU countries). In contrast, the use of modified Standard Contractual Clauses or individual ad-hoc clauses is always subject to approval by the relevant data protection authority.
- Furthermore, data exporters may rely on the so-called Binding Corporate Rules (BCRs), which are internal rules approved by the concerned data protection authorities for intra-group transfers. BCRs can now also be implemented by data processors and have become more and more relevant even for mid-sized businesses in recent years to avoid the sometimes cumbersome implementation of a group-wide network of Standard Contractual Clauses.
- Last but not least, consent of the affected data subjects can also serve as a basis for the transmission of personal data to an unsafe third country. However, whether this option is feasible in practice very much depends on the specific circumstances of the data processing in question.
Which data transfers are in the scope of the authorities’ current action?
It is important to note that a data transfer to a third country does not only occur when personal data is actually transferred to a third party established in a third country (for example, upload of data to an application on a provider’s server), but also if data in Germany is accessed from a third country. Furthermore, businesses should be aware that all sorts of flows of personal data are relevant. This also goes for purely intra-company data flows or the involvement of service providers and concerns all types of personal data, i.e. customer data as well as employee or vendor data.
In order to facilitate the process for the audited businesses, the data protection authorities in their questionnaire already identified service areas in which they assume that the provision of group-internal or external services from third countries (especially the US) is frequent. Specific questions aim e.g. at the use of CRM, recruiting, QM/compliance, e-mail/newsletters, messaging/video conferencing, ticketing/support and travel management tools.
Which steps should be taken?
The authorities’ coordinated approach should generally remind businesses to check their own compliance with the requirements for international data flows. It turned out in the past that e.g. the collection of the necessary information for the conclusion of EU Standard Contractual Clauses can take considerable time and is usually nothing which could be done within days. Illegal data transfers to third countries can be punished with fines of up to EUR 300,000.00. Those fines will be increased considerably to a maximum of 4% of the total worldwide annual turnover of the preceding financial year by the General Data Protection Regulation coming into force on 25 May 2018.
Companies that receive the questionnaire should take the request seriously and provide all the requested information in due time. In case of doubt, legal assistance should be sought. In no case should the request be simply ignored, as this might not only result in a more in-depth audit, but also lead to fines of up to EUR 50,000.00 (irrespective of the admissibility of any transfers). Since the authorities’ aim is primarily to raise the awareness among businesses, a cooperative response is also more likely to result in less severe consequences in case of a breach.