According to a press release of the Bavarian Data Protection Authority dated 3 November 2016 (“Press Release”), 10 German Data Protection Authorities (“DPAs”) have commenced a coordinated written audit and assessment of international data transfers, i.e., transfers to non-EU countries. Five hundred German companies will be asked to complete a comprehensive questionnaire which covers details of the companies’ international transfers of personal data to countries outside the European Union.

Motivation

The Bavarian DPA explains on its website the motivation for the audit as follows:

“In recent years, the number of international transfers of personal data in the private sector enormously increased. One reason for this development is the economic globalization as well as the continuous spread of services and products of the so-called Cloud Computing. Even small and medium-sized enterprises in Germany use many of these external services to transfer personal data (e.g. of customers, employees or applicants).

“However, many of these services are offered by US companies – and therefore usually require the transfer of personal data to the US and/or other non-EU countries. The experience of the German data protection authorities (DPAs) so far shows that companies are not always aware of the fact that with the use of such products a transfer of personal data to non-EU countries takes place.”

Further, the Bavarian DPA states in its Press Release that companies, which intend to transfer personal data to countries outside the European Union, are required to assess whether an adequate level of data protection can be ensured; otherwise, no transfer shall take place at all. In the Bavarian DPA’s view, it shall be vital to increase companies’ awareness of whether and under which data-processing activities transfers personal data to countries outside of the European Union occur. If such transfers take place, the company is compelled to consider the existence of sufficient legal justifications for such transfers.

Impact

Thomas Kranig, the Bavarian Data Protection Commissioner, said:

“Even for mid-sized companies, transfer of personal data to countries outside the European Union is part of the day-to-day business, in particular in the light of the increased market presence of cloud computing solutions. However, companies need to be aware that specific data protection related requirements need to be observed in this regard. One aim of the present coordinated audit by 10 German DPAs is to increase the companies’ awareness in this field. Depending on the responses to the questionnaire, the Bavarian DPA will conduct a more in-depth assessment where necessary.”

As it can be seen from the Bavarian Data Protection Commissioner’s statement, a company which receives the questionnaire should take the questionnaire seriously. Incorrect answers might lead to more comprehensive and thorough investigations by the DPAs. Breaches of the provisions of the German Data Protection Act (Bundesdatenschutzgesetz – BDSG) which are detected by the DPAs might result in administrative fines up to EUR 300,000.

Scope of the Questionnaire

During the upcoming weeks, the DPAs will send out the questionnaire to 500 companies, which are selected on a random basis. However, it is the DPAs’ intention to ensure that companies of different sizes, covering different sectors, will be included in the coordinated audit.

The questionnaire covers a number of details in relation to the companies’ international data transfers. The following questions shall be answered by the companies:

  1. Transfer of personal data to the United States of America
    1.1       Do you transfer personal data to the United States of America?
    1.2       If so, do such transfers contain customer data and/or employee data and/or other categories of personal data?
    1.3       What legal justification is used for such transfers to the United States of America (safe harbour, EU-U.S. Privacy Shield, model clauses, model clauses with additional provisions/amendments, individual agreements, binding corporate rules, consent)?
    1.4       In case of transfers based on the EU-U.S. Privacy Shield: How did you make sure that the recipient is Privacy Shield certified? (Privacy Shield list of the United States Department of Commerce, declaration by the recipient.)
  2. Transfer of personal data to other third countries
    2.1      Do you transfer personal data to other states outside the European Union and the European Economic Area (except the United States)?
    2.2       If so, which countries are covered?
    2.3       Do such transfers contain customer data and/or employee data and/or other categories of personal data?
    2.4        What legal justification is used for such transfers (adequacy decision by the European Commission, model clauses, model clauses with additional provisions/amendments, individual agreement, binding corporate rules, consent)?
  3. Types of transfers to third countries (including the United States of America)
    3.1      Do you transfer personal data to countries outside the European Union and the European Economic Area, to “controllers” and/or to “data processors”?
    3.2       Do you transfer personal data to countries outside the European Union and the European Economic Area to companies which are a member of your own company’s group (e.g., parent company and/or subsidiaries and/or affiliates)?
    3.3       Do you avail yourself of remote maintenance services from countries outside the European Union and the European Economic Area, in the course of which the service provider may have access to personal data (e.g., customer data or employee data)?
    3.4       Do you avail yourself of support services from countries outside the European Union and the European Economic Area, in the course of which the service provider may have access to personal data (e.g., customer data or employee data)?
    3.5       Do you avail yourself of travel management services for your employees in countries outside the European Union and the European Economic Area, and do you transfer, for this purpose, personal data to the commissioned party? If third-party services (e.g., cloud services) are used, please indicate these services.
    3.6       Do you avail yourself of services in the areas of customer relationship management or marketing in countries outside the European Union and the European Economic Area? Do you transfer, for this purpose, personal data to the commissioned party? If third-party services (e.g., cloud services) are used, please indicate these services.
    3.7       Do you avail yourself of services in the area of personal recruiting/ candidate management/skill databases in countries outside the European Union and the European Economic Area? Do you transfer, for this purpose, personal data to the commissioned party? If third-party services (e.g., cloud) are used, please indicate these services.
    3.8       Do you use cloud-storage solutions of third-party providers, in the course of which personal data are transferred to countries outside the European Union and the European Economic Area? If so, which solutions are used?
    3.9       Do you use communication services of third-party providers, in the course of which personal data are transferred to countries outside the European Union and the European Economic Area? If so, which services are used?
    3.10      Do you use cloud-office solutions of third-party providers, in the course of which personal data are transferred to countries outside the European Union and the European Economic Area? If so, which solutions are used?
    3.11      Do you use collaboration platforms (e.g., chat or messaging systems, video conference systems, document exchange systems, wiki-solutions) of third-party providers, in the course of which personal data (e.g., employee data) are transferred to countries outside the European Union and the European Economic Area? If so, which platforms are used?
    3.12      Do you use ticketing or support systems of third-party providers for processing inquiries of your customers, in the course of which employee data and/or customer data are transferred to countries outside the European Union and the European Economic Area? If so, which systems are used?
    3.13      In the fields of quality management, risk management and compliance, do you use products, in the course of which employee data and/or customer data are transferred to countries outside the European Union and the European Economic Area (e.g., ethics hotline or complaint hotline)? If so, which products are used?
    3.14      Do you use other services of third-party providers, which are not covered by questions 3.3 to 3.13, in the course of which you transfer personal data to countries outside the European Union and the European Economic Area? If so, please indicate in a nutshell the type of services. Which services are used?
  4. Data Protection Officer
    4.1       Has your company appointed a Data Protection Officer?
    4.2       If so, has your Data Protection Officer been involved in the assessment of international data transfers so far?
    4.3        If not, why has your company refrained from involving your Data Protection Officer in such assessment?