German supervisory authorities for data protection investigate cross-border data transfers - approximately 500 companies affected

Within the next few days, the German supervisory authorities for data protection will write to approximately 500 companies in a coordinated written investigation campaign and will call upon them to fill in a questionnaire.

It is the supervisory authorities for data protection of the federal states of Bavaria, Berlin, Bremen, Hamburg, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, the Saarland and Saxony-Anhalt that will be involved in the investigation campaign on the transfer of personal data into countries outside the EU. The companies concerned by the operation will be selected randomly. The supervisory authorities for data protection have made it clear that they will include companies of various sizes and of various sectors in the investigation.

An important goal of the investigation lies in increasing the companies’ awareness of data transfers into countries outside the European Union. Our and the supervisory authorities’ experience has shown that companies are not always aware of the fact that they actually do transfer data into third countries, such as the United States. Within the last few years, cross-border transfers of personal data have significantly increased in the private sector. Among the causes for this trend are, beside economic globalization, especially the constant growth of so-called cloud computing services and products. Even smaller and medium-sized German companies regularly process personal data (eg from customers, employees or applicants) on servers of external providers. This is especially the case with “software as a service”. A classic example for this is Office applications (eg MS Office 365) which can be used via the internet from any location. Many of these cloud services are offered by US companies. Thus, in general, the transfer of personal data into the United States and/or other third countries is required in order to be able to use the services. However, every time data is transferred into a country outside of the EU or the EEA, the admissibility of this transfer must be checked.

The questionnaire, for instance, questions whether

  • data is transferred to group undertakings established outside the EU/EEA
  • remote maintenance, support, ticket processing is carried out by third parties outside the EU/EEA, and
  • cloud & hosting solutions (eg Office 365, virtual storage space, SaaS tools eg relating to CRM or travel management) are used.

The companies will be called upon to specifically state the relevant services and products they use. If personal data is transferred into states outside the EU/EEA, the investigated companies must state the provisions of data protection law on the basis of which the data is transferred. For instance, they must indicate whether an appropriate data protection level has been recognized for the target company by resolution of the European Commission (this includes the so-called EU-US Privacy Shield), whether standard contractual clauses are used as a basis, whether the transfers are based on the data subjects’ consents etc.

We recommend that you take filling in the questionnaire very seriously. Data transfer between companies, in particular into countries outside the EU, is a very complex issue. For example, we would like to point out that eg a data transfer between group undertakings is not privileged, but rather how the data transfer between third parties must be handled. In addition, we would like to remind you that a data transfer on the basis of “Safe Harbour” is no longer suitable to ensure an appropriate data protection level.

We gladly offer our support in filling in the questionnaire should you be among the concerned companies. Should you not be among the companies concerned by the investigation campaign, we would still urge you to take this campaign as a reason for establishing legally compliant data transfer within your company. Any unlawful data transfer may be sanctioned with a fine of up to €300,000 at present (Federal Data Protection Act). From May 2018 onwards (General Data Protection Regulation) administrative fines in the amount of up to €20m or 4% of a company’s total worldwide annual turnover will be possible.

Should you have any questions, we will gladly support you with our expertise.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.