International transfers under scrutiny by DPAs in Germany
German DPAs are assessing compliance with data transfer rules by sending questionnaires to select companies. Johanna Klingen and Katharina Weimer of Fieldfisher Germany report.
On 2 June 2021, a handful of the German Länder (state) data protection authorities (DPAs) formed a task force in order to assess, by means of questionnaires the extent to which companies have reacted to the Schrems II decision. This is a new approach by the DPAs as there are reasons to believe that the DPAs will use the information gathered through the questionnaires to initiate enforcement proceedings should a company not be in a position to respond to these questionnaires and to document compliance.
Background information on the Schrems II decision
To understand the impact of the Schrems II decision for international data transfers, it is worth looking back in history. In 2013 Maximilian Schrems launched his first case with the Irish DPA based on a complaint against the data processing activities of Facebook. This proceeding culminated in the Court of Justice of the European Union’s (CJEU) decision of 6 October, 2014 (C-362/14), also known as the Schrems I decision. The CJEU declared the Safe-Harbour Agreement, which at the time was an instrument to justify international data transfers, invalid. Later on, the European Union (EU) and the United States agreed on its successor, the so-called “EU-US Privacy Shield” (Privacy Shield), which was considered equivalent to an adequacy decision.
International Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.