German DPAs launch audit of international data transfers after Schrems II

According to a press release of the data protection authority (DPA) of Lower Saxony earlier this month, nine German DPAs will participate in a coordinated audit of companies in Germany regarding their transfers of personal data to countries outside the European Economic Area (EEA). The new initiative aims at broadly enforcing the requirements set forth by the Court of Justice of the European Union (CJEU) in its Schrems II decision of almost one year ago. The DPAs will contact an unspecified number of companies under their supervision with aligned questionnaires. Each DPA decides independently in which areas it will take action and whether the questionnaires should be regionally adapted. Separately, on June 22, 2021, the DPA of Hesse informed companies and public authorities in Hesse that transfers of personal data to third countries like the U.S. are not permissible without additional safeguards. Companies have to demonstrate that they have carried out the required assessments and taken initial steps to ensure that their data processing procedures comply with the requirements of the GDPR.

The nine DPAs participating in the coordinated audit (Baden-Wuerttemberg, Bavaria, Berlin, Brandenburg, Bremen, Hamburg, Lower Saxony, Rhineland-Palatinate and Saarland) have agreed on five different questionnaires relating to the following topics:

• the use of service providers for sending emails;
• the use of service providers for hosting websites;
• online tracking;
• the use of service providers for managing job applicant data;
• the intra-group exchange of customer and employee data.

 The rather detailed questions inter alia address the roles of the data exporters/importers, the categories of personal data transferred, the location where the personal data is stored, and the legal bases and transfer mechanisms relied upon for the data transfers. There is also a set of questions that specifically focus on the Schrems II requirements, in particular when the company relies on the Standard Contractual Clauses (SSCs) as transfer tool. Audited companies are asked to specify whether they have engaged in a thorough assessment of the national laws of the third country and particularly whether they have reviewed the laws for provisions that could impinge on the effectiveness of the safeguards of the SCCs. For data transfers to the U.S., the DPAs specifically want to know whether the recipient of the personal data is subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA). Companies are also requested to provide details of any additional safeguards they have taken or planned beyond the SCCs and how they can ensure a rapid response to any changes in the laws of the third country. In terms of encryption, the questionnaires ask to disclose whether the companies use encryption for their international data transfers, and if so, specify the type of encryption, in which phases encryption and decryption take place, which parties perform the decryption and which ones hold the decryption key. Companies, which concluded that no additional safeguards are required, are asked to provide reasons for their non-action as well as any suitable supporting documents. The questionnaires also request copies of all executed SCCs as well as of those parts of the records of processing activities that may involve data transfers to third countries.

The new initiatives of the German DPAs do not come as a surprise, since they repeatedly emphasized in the past six months that they expect companies to already be taking steps towards compliance with the requirements established by Schrems II. Companies with headquarters or affiliates in Germany should therefore now ramp up their efforts to implement some of the supplementary transfer measures addressed by the European Data Protection Board in its Recommendations 01/2020. The final version of these recommendations was published on June 21, 2021. It is also crucial for companies to document all considerations, decisions and actions with regard to international data transfers and Schrems II, in order to be able to demonstrate compliance to the DPAs in case of an audit.