- German Data Protection Authorities Initiate Review of International Data Transfers of 500 German Companies
- November 16, 2016 | Authors: Jörg Hladjk; Ted-Philip (Ted) Kroke; Martin Lotz; Mauricio F. Paez; Undine von Diemar
- Law Firms: Jones Day - Brussels Office ; Jones Day - Frankfurt am Main Office ; Jones Day - Munich Office ; Jones Day - New York Office ; Jones Day - Munich Office
- On November 3, 2016, 10 German Data Protection Authorities ("DPAs") issued a joint press release (document available in German only), announcing the start of a review of 500 German companies regarding international transfers of personal data to non-EU countries. The review is not targeted at a specific industry sector but rather includes companies of all sizes in various industry sectors.
The companies are asked to answer a detailed questionnaire (official document available in German only; view an English translation of the questionnaire prepared by Jones Day), which focuses on the transfer of customer, employee, or any other personal data to non-EU countries in the context of general business practices, which involve-often unnoticed-the transfer of such data. Based on the responses to the questionnaire, the DPA will, if necessary, pursue a more detailed investigation. In the case of noncompliance, fines can amount to up to EUR 300,000.
Significant Increase in Cross-Border Data Transfers
In its press release, the DPAs of Bavaria, Berlin, Bremen, Hamburg, Mecklenburg-Western Pomerania, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, and Saxony-Anhalt recognize a significant growth in cross-border transfers of personal data in the private sector over the last few years. Besides globalization, the increased use of cloud computing solutions, often operated on servers outside the European Economic Area ("EEA"), would contribute to this effect. According to the DPAs, the general availability and simple implementation of cloud computing solutions lead to the result that not only major global companies but also small and medium-sized companies frequently transfer personal data to non-EU countries. Such companies are therefore equally subject to international data transfer restrictions.
Lack of Awareness of International Data Transfers
Companies are often unaware that services such as remote maintenance, cloud storage, cloud-based office solutions, communication services (email), collaboration platforms (messengers, chat programs, videoconferencing programs, share storages), support services, customer-relations management services, travel management services, HR services, and other services frequently involve the transfer of personal data to countries outside of the EEA. The review launched by the German DPAs is intended to remind companies that such data transfers must be in compliance with EU data protection law, which requires companies to provide for an adequate level of data protection in the country to which the personal data is transferred, by implementing an appropriate international data transfer mechanism (such as EU Standard Contractual Clauses).
Content of the Questionnaire
The questionnaire covers both controller-to-controller and controller-to-processor data transfers and also addresses intragroup data transfers.
Further, companies are requested to indicate any existing data transfer mechanisms (i.e., the EU-U.S. Privacy Shield or EU Standard Contractual Clauses) in order for the DPAs to check compliance with international data transfer restrictions provided by EU data protection law. In addition, companies have to provide information about the existence of a data protection officer and whether this person was involved in any assessment of the lawfulness of the international data transfers.
According to the press release, the DPAs may consider a more detailed investigation into the companies' data transfer practices if they are not satisfied with the responses they receive. In the case of noncompliance, the DPAs may also initiate further enforcement activities, including administrative fines of up to EUR 300,000.
What to Do?
The questionnaire should be taken seriously and needs to be carefully answered, as the DPAs will likely cross-check the answers and, according to their press release, pursue further investigations if inconsistencies arise.
If companies become aware of noncompliant business practices, remediation measures should be taken as soon as possible. As one main purpose of the review exercise is to create awareness and sensitivity among companies with respect to their international data transfer practices, the DPAs will usually take it favorably into consideration if companies that become aware of noncompliance quickly take actions to comply with the legal requirements for international data transfers.