April 15, 2021

Volume XI, Number 105

Advertisement

April 14, 2021

Subscribe to Latest Legal News and Analysis

April 13, 2021

Subscribe to Latest Legal News and Analysis

April 12, 2021

Subscribe to Latest Legal News and Analysis

Bavarian DPA Declares Transfers to E-mail Marketing Service Prohibited Due to Lack of Controller’s Assessment and Supplementary Measures

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

Mailchimp provided e-mail newsletter services to the controller, which had used Mailchimp’s e-mail marketing service only twice, to send newsletters to customers. Following a complaint alleging that the controller’s data transfers to the U.S. were illegal in light of the Schrems II judgement, the Bavarian DPA launched an inquiry.

During the inquiry, it was established that the controller relied on EU Standard Contractual Clauses (“SCCs”) for the transfer of e-mail addresses from Germany to the U.S., in order to make use of e-mail marketing services directed to German customers by Mailchimp on its behalf. The Bavarian DPA took the position that as an e-mail marketing service, “there are at least indications” that Mailchimp could qualify as an “electronic communication service provider” under U.S. surveillance law (i.e., FISA 702) and, therefore, “the transfer could only be permissible by taking supplementary measures, if suitable.” In the Bavarian DPA’s view, the controller had failed to assess the risk and implement supplementary measures for the transfer of EU personal data to Mailchimp in the U.S.

In its letter to the complainant, the Bavarian DPA states that it has “informed the company that the above-mentioned transfers of personal data to the U.S. were therefore impermissible.” However, the Bavarian DPA decided not to impose a fine in this particular case for the following reasons:

  • The DPA accepted the controller’s argument that the final version of the draft European Data Protection Board’s recommendations on supplementary measures post Schrems II has not yet been issued;

  • The use of Mailchimp’s services by the company was limited, since the service was only used to send newsletters twice. Therefore, “only a few cases of inadmissible data were transmitted.”  In addition, the types of personal data involved (i.e., e-mail addresses) are “still relatively manageable in sensitivity.” Taken together, the “present infringement is still to be classified as minor with regard to its nature and gravity, and in particular only a slight degree of negligence;” and

  • The company cooperated and committed that it will immediately stop using Mailchimp’s services.

The case was not published by the Bavarian DPA, but the news was released by several news sources.

Advertisement
Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 88
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement