Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
German Data Protection Authorities to audit international data transfers of 500 German organisations
Questionnaire should make organisations examine the basis upon which they transfer data outside the EEA.
Ten German data protection authorities (DPAs) last week announced a coordinated effort to audit transfers of personal data outside of the European Economic Area (EEA). The DPAs will send questionnaires to 500 companies across Germany in an attempt to obtain a view of the legal bases under which organisations transfer personal data outside of the EEA and increase sensitivity regarding international transfers of personal data.
The questionnaire will be sent to 500 German companies, selected at random, within the ten federal states involved in the exercise. It is thought that the companies will range in size from small businesses with few employees to much larger multinationals.
In a press statement published in German here (Statement), the DPAs highlight the growing use of “Software as a Service” and cloud computing, particularly amongst small and medium sized businesses, as a trigger for an increasing number of transfers of personal data outside of the EEA.
It is clear from the Statement that the DPAs involved are looking to increase industry sensitivity towards international data transfers. The DPAs seem keen to reinforce the point that data exporters in Germany are responsible for deciding on what terms the relevant personal data is transferred outside of the EEA and should not be led by the service provider’s terms. Data exporters are therefore being encouraged to carry out a thorough analysis of a service provider’s terms before committing to the services, to determine under which legal basis the transfer will occur, before the international transfer takes place.
The inclusion of a wide variety of applications in the questionnaire, from recruitment tools to messaging services, will draw organisations’ attention to the extent of their processing activities outside of the EEA. The Statement makes reference to a large number of internet-based office solutions being hosted in the USA. It is therefore expected that any organisation which ticks the (outdated) “Safe Harbour” box when asked under what legal basis it transfers personal data to the USA, may find itself subject to a follow-up investigation from their relevant DPA.
The completed questionnaires are required to be signed off by the organisation’s management and where applicable, the data protection officer. This requirement will bring the restrictions around international data transfers to the attention of senior management and encourage organisations to prioritise compliance.
Any organisation receiving a questionnaire of this nature should make its careful completion a priority. Under the current law, German DPAs can fine organisations up to 300,000 Euros per offence. Violations of data protection laws can also attract criminal sanctions in some circumstances with a maximum prison sentence of two years.
The General Data Protection Regulation which will come into force in May 2018 (see our previous post here), will impose even higher sanctions on noncompliant organisations with maximum fines of €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. Therefore, now is the ideal time for organisations, not only in Germany, which transfer personal data outside of the EEA to reassess when, where and how they transfer personal data.
This blog post was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.