German DPAs Auditing 500 Companies International Data Transfer Practices
On November 3, ten of the German Data Protection Supervisory Authorities (“DPAs”) announced they will be working together to select approximately 500 companies in Germany to audit for international personal data transfers for the purpose of raising awareness of data protection law. Over the coming days, the investigations will be initiated with a questionnaire. The DPAs claim they are conducting these audits because they are concerned that companies may not be aware they are transferring data outside of the EU due to the proliferation of cloud-based products and services. They assert the objective of the audit is to examine whether these transmissions are permissible under data protection law.
While the announcement notes this is an issue for both large and small businesses, the DPAs have not stated whether the investigations will be random or specifically targeted. Thus, any company doing business in Germany is on notice and should determine whether they are transferring data outside of the European Economic Area. If so, companies should confirm that they have EU-U.S. Privacy Shield, EU Standard Contractual Clauses, Binding Corporate Rules, or consent from the data subject in place for these international data transfers. If none of these transfer mechanisms are in place, companies would be wise to immediately amend their contracts with EU Standard Contractual Clauses.
Though the DPAs claim they want to raise awareness regarding data protection law, it remains unclear whether they will or will not fine companies found in violation of the law. Companies are urged to treat these audit questionnaires very seriously as German DPAs are able to assess a fine up to €300,000 for unlawful data transfers.
By implementing a transfer mechanism, companies may be able to mitigate potential fines. This year, the Hamburg DPA announced they would audit cross-border data transfers to the US and three companies that were found in violation were able to reduce their fines significantly (between €8,000 to €11,000 per company) by implementing Standard Contractual Clauses for cross-border transfers during the proceedings. However, multiple German DPAs have expressed their intent to penalize unlawful data transfers more harshly in the future so companies should be prepared for heftier fines if found in violation.
Zerina Curevac is co-author of this article.