German DPAs launch audit of international data transfers after Schrems II

According to a press release of the data protection authority (DPA) of Lower Saxony earlier this month, nine German DPAs will participate in a coordinated audit of companies in Germany regarding their transfers of personal data to countries outside the European Economic Area (EEA). The new initiative aims at broadly enforcing the requirements set forth by the Court of Justice of the European Union (CJEU) in its Schrems II decision of almost 11 months ago. The DPAs will contact an unspecified number of companies under their supervision with aligned questionnaires. Each DPA decides independently in which areas it will take action and whether the questionnaires should be regionally adapted. Separately, on June 22, 2021, the DPA of Hesse informed companies and public authorities in Hesse that transfers of personal data to third countries like the U.S. are not permissible without additional safeguards. Companies have to demonstrate that they have carried out the required assessments and taken initial steps to ensure that their data processing procedures comply with the requirements of the GDPR.

The nine DPAs participating in the coordinated audit (Baden-Wuerttemberg, Bavaria, Berlin, Brandenburg, Bremen, Hamburg, Lower Saxony, Rhineland-Palatinate and Saarland) have agreed on five different questionnaires relating to the following topics:

  • the use of service providers for sending emails;
  • the use of service providers for hosting websites;
  • online tracking;
  • the use of service providers for managing job applicant data;
  • the intra-group exchange of customer and employee data.

The rather detailed questions inter alia address the roles of the data exporters/importers, the categories of personal data transferred, the location where the personal data is stored, and the legal bases and transfer mechanisms relied upon for the data transfers. There is also a set of questions that specifically focus on the Schrems II requirements, in particular when the company relies on the Standard Contractual Clauses (SSCs) as transfer tool. Audited companies are asked to specify whether they have engaged in a thorough assessment of the national laws of the third country and particularly whether they have reviewed the laws for provisions that could impinge on the effectiveness of the safeguards of the SCCs. For data transfers to the U.S., the DPAs specifically want to know whether the recipient of the personal data is subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA). Companies are also requested to provide details of any additional safeguards they have taken or planned beyond the SCCs and how they can ensure a rapid response to any changes in the laws of the third country. In terms of encryption, the questionnaires ask to disclose whether the companies use encryption for their international data transfers, and if so, specify the type of encryption, in which phases encryption and decryption take place, which parties perform the decryption and which ones hold the decryption key. Companies, which concluded that no additional safeguards are required, are asked to provide reasons for their non-action as well as any suitable supporting documents. The questionnaires also request copies of all executed SCCs as well as of those parts of the records of processing activities that may involve data transfers to third countries.

The new initiatives of the German DPAs do not come as a surprise, since they repeatedly emphasized in the past six months that they expect companies to already be taking steps towards compliance with the requirements established by Schrems II. Companies with headquarters or affiliates in Germany should therefore now ramp up their efforts to implement some of the supplementary transfer measures addressed by the European Data Protection Board in its Recommendations 01/2020. The final version of these recommendations was published on June 21, 2021. It is also crucial for companies to document all considerations, decisions and actions with regard to international data transfers and Schrems II, in order to be able to demonstrate compliance to the DPAs in case of an audit. 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner
Contact
more
less

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.