Several German Data Protection Authorities commence independent investigation of cross border transfers of personal data in violation of Schrems II.

The investigation has commenced by sending companies questionnaire regarding among other things, the use of service providers for:

  • sending e-mails
  • hosting of websites
  • web tracking
  • the administration of applicant data
  • the internal exchange of customer data
  • the intercompany transfer of employee data.

The authorities are mindful of the Court of Justice of the European Union’s (CJEU) instruction that the supervisory authorities “suspend or forbid” transfers that do not meet with the Schrems II requirements for mode of transfer or supplemental measures. Suspending a transmission, says the Berlin DPA in a press release, is likely to succeed in starting a cooperative dialogue with the companies. Where this is not possible regulatory action will follow.

Per Christopher Schmidt, FIP CIPP⁄E CIPM CIPT CDPO’s unofficial translation, questions include:

  • Does your company transfer personal data to other companies of the group located outside the EEA (this includes accessing data stored in Germany from other locations)?
  • Which data is transferred, to which companies and at what intervals?
  • What is the purpose and legal basis of the transfer?
  • Have you checked whether there are no provisions in the third country’s legislation that make it impossible for data importers to comply with their contractual obligations under the SCC?
  • Are any of the other companies subject to FISA 702?
  • Do you use encryption? What kind?
  • What are preparatory steps for alternatives to this transfer/mode of transfer?