Nationwide assessment of companies' compliance about Schrems II decision of the European Court of Justice by numerous German data protection supervisory authorities
Companies’ data transfers to countries outside the European Union or the European Economic Area (third countries) are reviewed as part of a nationwide investigation. The goal is to broadly enforce the requirements of the European Court of Justice in its Schrems II decision of July 16, 2020 (Case C-311/18). There, the Court ruled that data transfers to the U.S. can no longer be made on the basis of the Privacy Shield adequacy decision. Furthermore, if the data exporter's assessment has shown that an essentially equivalent level of protection for the personal data cannot be ensured in the recipient state, the use of the standard data protection clauses for data transfers to third countries is only valid if additional effective measures are taken. In many cases, the ECJ's ruling requires a fundamental change in long-established business models and processes.
The German data protection authorities participating in the inspection have contacted companies individually with standardized questionnaires. Among other things, this will cover the use of third-party providers like e-mail-services, webhoster, services for web tracking or managing applicant data, and the intra-Group exchange of customer data and employee data within companies. Each supervisory authority decides individually in which of these subject areas it will take action.
The Court has made clear its expectation that authorities "suspend or prohibit" transfers which do not match the criteria of the Schrems-II-decision. Suspending a transfer can likely succeed in many cases through cooperative dialogue with companies. Where this is not possible, the available supervisory measures will be used to respond. The supervisory authorities are aware of the particular challenges that the ECJ ruling on Schrems II poses for companies in Germany and Europe. They are also available to answer questions of understanding in the further course of the examination procedure, insofar as this is possible in accordance with the available capacities.
The questionnaires for each case group can be accessed here in German language: https://datenschutz-hamburg.de/pages/fragebogenaktion/.
For further information, please contact the Hamburg DPA: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.