Eight German data protection authorities (DPAs) announced with press releases published today their participation in a coordinated audit of data controllers based in Germany.
The audit will focus on compliance with the requirements applicable to data transfers outside the European Union and the European Economic Area with the aim of broadly enforcing the requirements of the “Schrems II” ruling adopted by the Court of Justice of the European Union (CJEU) in July 2020.
This action clearly shows that authorities are starting to actively enforce additional requirements applicable to data transfers after a period of issuing guidances on how to comply with the Schrems II ruling.
Coordinated approach of the German DPAs
Particularly notable is the coordinated nature with which DPAs have decided to act. In Germany alone (and according to current knowledge), the DPAs of Hamburg, Berlin, Lower Saxony, and Brandenburg have already issued press releases confirming their involvement in enforcement proceedings, and the DPAs of Baden-Wurttemberg, Bavaria, Bremen, Rhineland-Palatinate and Saarland will, based on current information, also participate.
This action is, however, no real surprise as many German DPAs had already outlined the immediate need for organisations to start implementing measures for compliance with the Schrems II ruling and warned of enforcement actions. However, there has hitherto been only one case of enforcement in Germany since the Schrems II ruling. In this case, the Bavarian DPA held that it was a GDPR violation for the organisation not to assess whether “additional measures” to Standard Contractual Clauses were required for transferring personal data to an email marketing platform in the US. Nevertheless, the authority refrained from imposing a fine on the organisation.
The DPAs will now write to selected organisations on the basis of aligned questionnaires. In this regard, the DPA of Lower Saxony has already announced that it will reach out to a total of 18 organisations located in its jurisdiction regarding email and web hosting. Other German DPAs have not indicated how many organisations under their supervision they will contact.
Common questionnaires the basis for German DPAs’ audit
The DPAs have developed common questionnaires pertaining to various topics such as the use of service providers for the sending of emails, the hosting of websites, web tracking, the management of applicants’ data, and the internal exchange of customer data and employee data. However, each DPA will be able to decide individually which topic(s) it aims to audit in its federal state and whether the questionnaire may be locally adapted.
Questionnaires are specific to a relevant topic and the questions differ, but the questionnaires are all quite detailed and have been designed to provide DPAs with a thorough overview of the data transfers configurations and mechanism used, where relevant.
In particular, the questionnaires will help DPAs to get information on:
- the role of the importer and the exporter (ie data controller, joint controller and data processor);
- the place where personal data are processed, hosted, stored etc;
- the categories of personal data processed;
- the legal basis on which the processing is based;
- the transfer mechanism relied on to transfer personal data;
- the additional measures implemented when relying on standard contractual clauses; and
- data security.
German DPAs eager to impose stringent Schrems II requirements
The concerted action demonstrates that German DPAs are eager to impose the stringent requirements provided by the CJEU in Schrems II. The rather detailed questionnaires indicate that the German DPAs will not be satisfied with high-level information, but will request accountability and detailed information on the status quo of Schrems II compliance. Follow-up action is likely, with more Schrems II enforcement in other EU member states.