Bavarian DPA offers practical insights into "Schrems II"

The German state of Bavaria’s Data Protection Authority has ruled that the use of Mailchimp for the transfer of email addresses to the US was unlawful. Mailchimp is a US-based marketing automation platform and email marketing service. When using Mailchimp, FOGS Magazin relied on the EU Standard Contractual Clauses for its data transfers from Germany to the US. But Mailchimp could qualify as an "electronic communication service provider" under US surveillance law, the DPA says. Therefore, referring to the CJEU’s decision in "Schrems II", the company should have assessed additional measures that should be put in place to ensure that the transferred data was protected from US surveillance.

As the respondent has stopped using Mailchimp, the potential infringement of the law was minor in this case, and the EU Commission has not finalised the new Standard Contractual Clauses, Bavaria’s DPA did not impose a fine.

See the 15 March decision: GDPR Hub - BayLDA - LDA-1085.1-12159/20-IDV