Data transfer details
The questionnaire includes detailed questions regarding a company’s data transfers to the US and to other non-EEA countries with data protection regimes that the EU considers in adequate. The audited companies will need to specify the kinds of personal data they transfer (for example, customer data or employee data) and explain what safeguards they use to ensure compliance with EU data protection law. The latter could include the EC standard contractual clauses, binding corporate rules, data subject consent or the EU-US Privacy Shield (“Privacy Shield”).
The company should specify to which non-EEA countries transfers are being made. If personal data are transmitted to the US under the Privacy Shield arrangement, the company should specify whether it relies on the statement by the recipient about Privacy Shield certification or if it verified certification via the list maintained by the US Department of Commerce.
The last questions specifically focus on the role of the in-house data protection officer (mandatory for the majority of German companies) in overseeing the legality of international data transfers. If a data protection officer was installed but not involved in overseeing the data transfers, the company should explain why not.
Types of transfer
The audit aims to cover all cross-border processing operations that involve personal data, including intra-group transfers; cloud solutions; remote maintenance and support services by third party providers; customer relationship management and marketing; newsletter services; online collaboration platforms; whistleblower hotlines or other compliance schemes; travel and ticketing support; etc. Audited companies are asked to specify the names of services and service providers.
The audit is being conducted by the DPAs of Bavaria, Berlin, Bremen, Hamburg, Mecklenburg-Vorpommern, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, and Saxony-Anhalt.
Real compliance is key
There is no doubt that the German DPAs will share their findings with other EU DPAs in the Article 29 Working Party (“WP29”). We see an increase in cooperation and a growing number of coordinated enforcement actions by regulatory authorities in the EU and internationally. The WP29 is currently coordinating a common EU enforcement action against WhatsApp and Yahoo. Twenty-five data protection authorities recently announced the results of the fourth international Privacy Sweep of the Internet of Things devices coordinated by the Global Privacy Enforcement Network (GPEN).
Similar audits and coordinated enforcement actions will only become more frequent with the upcoming EU General Data Protection Regulation and the globalisation of digital services.
We provide an unofficial translation of the questionnaire into English for your convenience.