October 28, 2020

Volume X, Number 302


October 27, 2020

Subscribe to Latest Legal News and Analysis

October 26, 2020

Subscribe to Latest Legal News and Analysis

German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries

Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that  EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still validbut a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.

Reactions from the Data Protection Authority of Baden-Wuerttemberg

Germany FlagThe DPA of Baden Wuerttemberg is, thus far, the only German DPA that has issued relatively detailed guidance, which was published on September 7, 2020. While this is directly applicable only to companies established in Baden-Wuerttemberg, the guidance nevertheless may serve as a point of reference. Pursuant to the guidance, data controllers must offer additional guarantees so that access by the third-country public authorities is essentially prevented. To achieve this, parties to SCCs should duly assess the legal situation in the recipient country and should agree on additional contractual clauses and on technical security measures, such as:

  • Encryption, in which case, only the EU data exporter holds the key so that data cannot be accessed by US security authorities
  • Anonymisation or pseudonymisation, where only the EU data exporter can reverse the anonymisation or pseudonymisation

Pursuant to the guidance, transfers based on the derogations in Art. 49 of the GDPR are still possible. However, given the restrictive character of these provisions, systematic transfers might be excluded.

The DPA of Baden-Wuerttemberg concluded that while they are aware that the CJEU ruling imposes extreme burdens on companies, the DPA’s focus on data transfers would be whether there are reasonable alternatives to the chosen third-country service provider. The burden will lay with the controller to supply convincing reasons that the third-country service provider used is irreplaceable. Otherwise, the DPA will prohibit the data transfer.

How to Proceed

  • As a consequence of the decision, companies should examine their data transfers through comprehensive data mapping.

  • Data transfers done on the basis of the EU-US Privacy Shield must stop and all processors, who have thus far used the Privacy Shield, must be instructed to immediately cease data transfers on that basis.

  • Data transfers based on SCCs should be scrutinised and documented.

  • Companies should consider whether data transfers to third countries are necessary or whether a service provider in a third country can be supplemented with one located in the EU.

  • Should a company that is established in Baden-Wuerttemberg determine that a third country service provider is irreplaceable, then the SCCs should be supplemented with additional terms as proposed by the DPA of Baden-Wuerttemberg.

  • Companies should also update Art. 13-information, records of processing activities, and should implement extra technical measures.  Given that the EDPB  and the German Federal Commissioner for Data Protection and Freedom of Information have decided to establish a task force on complaints against the use of social media and web analytics services, companies involved in providing or using these services are encouraged to act swiftly on the measures outlined above.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 267



About this Author

Dr. Annette Demmel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Berlin, Germany

Dr. Annette Demmel is a partner in our Data Privacy & Cybersecurity Practice Group in Berlin. For 20 years, Annette has advised national and international businesses in privacy law, technology law, telecommunications law, intellectual property law, media law and competition law.

In particular, she leads the implementation of privacy compliance programs and centralized software systems, and provides advice on policy and regulatory issues arising in the electronic communications and internet sectors. Annette also advises clients on legal issues relating to profiling and online...

49 30-72616-8226
Mareike Lucht Data Privacy & Cybersecurity Attorney Squire Patton Boggs Berlin, Germany

Mareike Lucht is an associate in the Data Privacy & Cybersecurity Practice based in our Berlin office. She advises and represents clients in national and international privacy compliance, with a special focus on the current development of data privacy laws. Mareike regularly drafts international data transfers agreements, privacy policies and assists with data subject access requests (DSARs). She handles IT and commercial contracts, in particular in the e-business sector. She further advises national and international clients on M&A transactions and compliance, focusing on data transfers.

Mareike holds an LL.M. from the University of San Diego, California, with a specialisation in US Business and Corporate Law. Before joining the firm, she worked at other prominent law firms in Berlin, Germany, and Los Angeles, California, as an associate and a trainee. She also worked for an internet start-up in San Diego.

49 30-72-616-8131