German supervisory authorities examine international data transfers

The "grace period for companies" following the issuance of the Schrems II ruling by the ECJ is now finally over.

The "grace period for companies" following the issuance of the Schrems II ruling by the ECJ is now finally over. On 1 June 2021, various supervisory authorities in Germany announced that they would review data transfers by companies to states outside the European Union as part of a transnational control. Especially companies in Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate and Saarland must expect corresponding enquiries from the supervisory authority. However, it cannot be ruled out that other authorities will participate in the survey.

The aim of the review is to meet the ECJ's expectations that authorities suspend or prohibit unauthorised transfers. In its Schrems II decision, the ECJ declared the EU-US Privacy Shield invalid without a transition period on 16 July 2020. At the same time, it emphasised that data transfers are still permitted on the basis of the standard data protection clauses. However, the controller must satisfy itself that these can also be complied with and in this respect an equivalent level of protection for personal data can be guaranteed. This is to be ensured, if necessary, by the use of effective additional measures.

Although there is still no satisfactory solution for a lawful transfer of data, especially to the US, this is now being examined by the supervisory authorities. The participating authorities will write to selected companies in their jurisdiction based on common questionnaires. In addition, the authorities will focus on different areas: Mail hosters, web hosters, tracking, applicant portals and intra-group data traffic. Each supervisory authority decides individually in which of these areas it will audit and whether the questionnaire will be adapted regionally.

Practice Tip:

After the announcement, companies should be prepared to be contacted by the competent supervisory authority. The questionnaires should not be ignored, but properly filled out with legal assistance. Especially in the case of data transfer to the USA, the recommendations of the European Data Protection Board should also be taken into account and, in the best case, documented. Accordingly, the following steps should be taken:

1. Analysis of data transfers to third countries ("Know Your Transfers")
2. Identification of the transfer tools used
3. Assessing the effectiveness of the transfer tools
4. Identification of appropriate complementary measures
5. Implementation of complementary measures
6. Regular evaluation

We are happy to support you both in answering the questionnaires and in carrying out the recommended risk assessment.