Several German data protection supervisory authorities have been carrying out cross-border and coordinated checks of international data transfers since June 1, 2021.
Procedure of the data protection supervisory authorities
As part of these inspections, the data protection supervisory authorities check with certain companies whether and in what way they transfer personal data to third countries, i.e., countries outside the European Union (EU) or the European Economic Area (EEA).
The data protection supervisory authorities address questionnaires to selected companies on the following topics:
The questionnaires are published by the Hamburg Commissioner for Data Protection and Freedom of Information, among others, at (German versions):
Objective of the data protection supervisory authorities and background of data protection law
With their controls, the data protection supervisory authorities intend to increasingly enforce the current data protection requirements of the European Court of Justice (ECJ) for international data transfers.
In its "Schrems II Decision" as of July 16, 2020 (Case C-311/18), the ECJ declared the EU/US Privacy Shield Decision invalid, meaning that transfers of personal data to the USA are no longer permitted on this legal basis. The Privacy Shield had not sufficiently protected personal data in the USA from access by American authorities. Therefore, it does not provide an equivalent level of data protection comparable to the GDPR.
As a result of the ECJ's Schrems II ruling, international data transfers and the use of digital products and cloud solutions are exposed to new requirements, as they regularly use servers in third countries outside the EU / EEA and predominantly do not comply with the new data protection requirements.
Conclusion and recommendations for action
Almost every company nowadays uses digital products and cloud solutions with servers in third countries (e. g. Microsoft 365, Amazon Web Services) and can, therefore, be affected by the announced controls by the data protection supervisory authorities.
We, therefore, recommend that companies proactively prepare for controls and implement the data protection requirements according to the ECJ's Schrems II ruling as far as possible. For example, contracts using the EU standard contractual clauses in addition are helpful. In considering so, companies should at least take the following additional measures to reduce their risk according to the data protection law:
Do you have any questions? We will be pleased to advise you!