Several German data protection supervisory authorities have been carrying out cross-border and coordinated checks of international data transfers since June 1, 2021.

Procedure of the data protection supervisory authorities

As part of these inspections, the data protection supervisory authorities check with certain companies whether and in what way they transfer personal data to third countries, i.e., countries outside the European Union (EU) or the European Economic Area (EEA).

The data protection supervisory authorities address questionnaires to selected companies on the following topics:

• Use of service providers to send emails
• Use of service providers for hosting of websites
• Use of web tracking
• Use of service providers to manage applicant data
• Intra-group exchange of customer and employee data

The questionnaires are published by the Hamburg Commissioner for Data Protection and Freedom of Information, among others, at (German versions):

https://datenschutz-hamburg.de/pages/fragebogenaktion/

Objective of the data protection supervisory authorities and background of data protection law

With their controls, the data protection supervisory authorities intend to increasingly enforce the current data protection requirements of the European Court of Justice (ECJ) for international data transfers.

In its "Schrems II Decision" as of July 16, 2020 (Case C-311/18), the ECJ declared the EU/US Privacy Shield Decision invalid, meaning that transfers of personal data to the USA are no longer permitted on this legal basis. The Privacy Shield had not sufficiently protected personal data in the USA from access by American authorities. Therefore, it does not provide an equivalent level of data protection comparable to the GDPR.

As a result of the ECJ's Schrems II ruling, international data transfers and the use of digital products and cloud solutions are exposed to new requirements, as they regularly use servers in third countries outside the EU / EEA and predominantly do not comply with the new data protection requirements.

Conclusion and recommendations for action

Almost every company nowadays uses digital products and cloud solutions with servers in third countries (e. g. Microsoft 365, Amazon Web Services) and can, therefore, be affected by the announced controls by the data protection supervisory authorities.

We, therefore, recommend that companies proactively prepare for controls and implement the data protection requirements according to the ECJ's Schrems II ruling as far as possible. For example, contracts using the EU standard contractual clauses in addition are helpful. In considering so, companies should at least take the following additional measures to reduce their risk according to the data protection law:

• It should be checked whether there is demonstrably no alternative for the use of the digital product or cloud solution (e.g., an EU cloud).
• The company has previously conducted and documented a risk analysis.
• The company supplements the contracts with additional technical and organizational security measures (e.g. anonymization or pseudonymization of data, restriction to certain data categories).
• The company adds additional safeguarding sections to the EU standard contractual clauses, such as information obligations and contractual penalties.

Do you have any questions? We will be pleased to advise you!