10 German Data Privacy Supervisory Authorities Investigating Potential Unlawful International Data Transfers


According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.

Content of Request

Companies coming under scrutiny will likely be asked if they send personal data to countries outside the EU, whether the destination country outside the EU is deemed to provide adequate data protection,–and whether they use EU Model Clauses or valid consent from the data subject or something else to justify the data transfers. The supervisory authorities noted that they would focus on several particular industries/services: remote services, help-desk services, other support services, customer relation management or the administration of job applications.

Even though the supervisory authorities have stressed that this action is primarily geared at promoting awareness, organizations should anticipate that enforcement actions will likely follow for companies that are clearly out of compliance.

Analysis and Recommendation to React

This coordinated action is likely a starting point and will be followed by various others with tougher enforcement threats. Accordingly, organizations that maintain a substantial amount of data regarding EU citizens–whether in the EU or the U.S.–should take note of the German supervisory authorities increasing attention to data transfer, and revisit the efficacy of the data transfer mechanism that they are currently using, especially in the wake of the demise of Safe Harbor and the advent of Privacy Shield. In particular, the companies that receive the described request from local supervisory authorities should not take this easy.

A starting point can be to map all data flows international group members or with service providers. Based thereon, companies should assess how they can justify such data transfers. For example in case of data transfers to countries outside the EU which are not recognized as providing for an adequate data protection standard, by entering into the EU Model Clauses for Controllers or for Processors. Organizations with significant operations in Germany should take particular note of guidance issued by German data protection authorities on implementation of Privacy Shield. With GDPR coming into effect in May 2018, the consequences for organizations failing to comply with appropriate data transfer protections will be severe, as the maximum fines available to the supervisory authorities will reach up to 4 percent of companies’ total worldwide turnover.