7 November 2016

German privacy authorities launch coordinated audit of international data transfers

Ten German data protection authorities (“DPAs”) will conduct a coordinated audit of cross-border data transfers at 500-randomly selected German companies. The audit was announced by the Data Protection Authorities of Bavaria and Berlin on behalf of other DPAs on 3 November 2016. The audit is aimed at raising awareness among the companies on the outbound transfers of personal data they process and data processing operations outside the European Economic Area. This includes intra-group data transfers, cloud solutions and any other transfers to third parties. The audit results can lead to a more thorough investigation and enforcement actions by the DPAs.

Companies that receive the questionnaire should carefully review the questions and provide general information on data transfers, the grounds for transfers and safeguards used in cases where transfers are made to countries without adequate data protection regimes. If any non-compliant transfers are being currently made, we suggest that companies not wait for follow-up from the DPAs, but that they instead take immediate actions to remediate non-compliance.

In addition, companies doing business in the EU or targeting European citizens should review and assess their processing operations involving personal data. The DPA’s questionnaire provides a good general checklist for scrutinising which company’s internal processes contain data operations that fall under personal data protection law. Here is the unofficial English translation of the questionnaire for your convenience.

Data transfer details
The questionnaire includes detailed questions regarding a company’s data transfers to the US and to other non-EEA countries with data protection regimes that the EU considers in adequate. The audited companies will need to specify the kinds of personal data they transfer (for example, customer data or employee data) and explain what safeguards they use to ensure compliance with EU data protection law. The latter could include the EC standard contractual clauses, binding corporate rules, data subject consent or the EU-US Privacy Shield (“Privacy Shield”).

The company should specify to which non-EEA countries transfers are being made. If personal data are transmitted to the US under the Privacy Shield arrangement, the company should specify whether it relies on the statement by the recipient about Privacy Shield certification or if it verified certification via the list maintained by the US Department of Commerce.

The last questions specifically focus on the role of the in-house data protection officer (mandatory for the majority of German companies) in overseeing the legality of international data transfers. If a data protection officer was installed but not involved in overseeing the data transfers, the company should explain why not.

Types of transfer
The audit aims to cover all cross-border processing operations that involve personal data, including intra-group transfers; cloud solutions; remote maintenance and support services by third party providers; customer relationship management and marketing; newsletter services; online collaboration platforms; whistleblower hotlines or other compliance schemes; travel and ticketing support; etc. Audited companies are asked to specify the names of services and service providers.

Participating DPAs
The audit is being conducted by the DPAs of Bavaria, Berlin, Bremen, Hamburg, Mecklenburg-Vorpommern, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, and Saxony-Anhalt.

Real compliance is key
There is no doubt that the German DPAs will share their findings with other EU DPAs in the Article 29 Working Party (“WP29”). We see an increase in cooperation and a growing number of coordinated enforcement actions by regulatory authorities in the EU and internationally. The WP29 is currently coordinating a common EU enforcement action against WhatsApp and Yahoo. Twenty-five data protection authorities recently announced the results of the fourth international Privacy Sweep of the Internet of Things devices coordinated by the Global Privacy Enforcement Network (GPEN).

Similar audits and coordinated enforcement actions will only become more frequent with the upcoming EU General Data Protection Regulation and the globalisation of digital services.

We provide an unofficial translation of the questionnaire into English for your convenience.

Read more in our articles about the Privacy Shield becoming operational, proposed Privacy Shield and invalidation of Safe Harbor. Also read our take on the General Data Protection Regulation.