News

International data transfer – Coordinated audit of international data transfers by German supervisory authorities

01.06.2021

German supervisory authorities will inspect data transfers by companies to countries outside the European Union or the European Economic Area (third countries) as part of a nationwide audit

Background: Schrems II decision by the CJEU and recommendations of the European Data Protection Board

In a high-profile decision in the Schrems II case, on 16 July 2020, the Court of Justice of the European Union (CJEU) set aside the European Commission Implementing Decision on the EU-U.S. Privacy Shield – without a transitional period – thus dealing a bitter blow to transatlantic data transfer.

The EU standard data protection clauses (or to date also “standard contractual clauses”), often used in practice as a transfer tool for international data transfer, had also been the focus of the CJEU’s ruling. It is true that the CJEU made it clear that the standard data protection clauses are not per se open to criticism. However, at the same time the competent supervisory authorities are obliged to suspend or prohibit a transfer of personal data to a third country based on standard data protection clauses if, in view of all the circumstances surrounding that transfer, the authorities consider that the clauses are not complied with or cannot be complied with in that third country. If appropriate, in addition to the standard contractual clauses the data exporter and data importer would have to take additional measures to ensure an adequate level of data protection.

On 11 November 2020, the European Data Protection Board (EDPB) published detailed recommendations on measures to supplement transfer tools for international data transfer.

Coordinated audit of international data transfers by German supervisory authorities

The supervisory authorities of several federal states (including Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate and Saarland) announced on 1 June 2021 that they would review data transfers by companies to countries outside the European Union or the European Economic Area (third countries) as part of a nationwide audit. The aim, they said, was to “broadly enforce” the requirements of the CJEU from the Schrems II case.

The authorities participating in the audit would like to write to selected companies within their jurisdiction based on common questionnaires. The common questionnaires include job application portals, intra-group data flows, email hosting, web hosting and tracking. The individual supervisory authorities want to decide which of these areas they will examine and, if necessary, adjust the questionnaires regionally.

Companies in Germany should therefore be prepared to receive mail from the supervisory authority responsible for them in the next few days.

In order to be best prepared for requests for information from the authorities, we recommend looking in detail in advance at the questionnaires already published and, if necessary, starting to compile the information needed to answer them.

In the context of data protection accountability, we also still recommend (now with the greatest urgency) reviewing the risks of international data transfers in the company as a whole in the spirit of comprehensive Transfer Impact Assessments (TIA) and, where appropriate, taking steps to address any risks. The European Data Protection Board (EDPB) has outlined the following main steps in its recommendations:

Analyse data transfer to third countries (“know your transfers”)
Verify the transfer tool your transfer relies on
Assess the effectiveness of transfer tools
Identify and adopt supplementary measures
Take any formal procedural steps the adoption of your supplementary measure may require
Re-evaluate at appropriate intervals