June 26, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

German DPAs Auditing 500 Companies International Data Transfer Practices

On November 3,  ten of the German Data Protection Supervisory Authorities (“DPAs”) announced they will be working together to select approximately 500 companies in Germany to audit for international personal data transfers for the purpose of raising awareness of data protection law. Over the coming days, the investigations will be initiated with a questionnaire.  The DPAs claim they are conducting these audits because they are concerned that companies may not be aware they are transferring data outside of the EU due to the proliferation of cloud-based products and services. They assert the objective of the audit is to examine whether these transmissions are permissible under data protection law.

Next Steps

Lock, SecurityWhile the announcement notes this is an issue for both large and small businesses, the DPAs have not stated whether the investigations will be random or specifically targeted.  Thus, any company doing business in Germany is on notice and should determine whether they are transferring data outside of the European Economic Area. If so, companies should confirm that they have EU-U.S. Privacy Shield, EU Standard Contractual Clauses, Binding Corporate Rules, or consent from the data subject in place for these international data transfers. If none of these transfer mechanisms are in place, companies would be wise to immediately amend their contracts with EU Standard Contractual Clauses.


Though the DPAs claim they want to raise awareness regarding data protection law, it remains unclear whether they will or will not fine companies found in violation of the law. Companies are urged to treat these audit questionnaires very seriously as German DPAs are able to assess a fine up to ‎€300,000 for unlawful data transfers.

By implementing a transfer mechanism, companies may be able to mitigate potential fines. This year, the Hamburg DPA announced they would audit cross-border data transfers to the US and three companies that were found in violation were able to reduce their fines significantly (‎between €8,000 to ‎€11,000 per company) by implementing Standard Contractual Clauses for cross-border transfers during the proceedings. However, multiple German DPAs have expressed their intent to penalize unlawful data transfers more harshly in the future so companies should be prepared for heftier fines if found in violation.

Zerina Curevac is co-author of this article. 

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Gretchen A. Ramos, Squire Patton Boggs, complex commercial disputes lawyer, Client Services Attorney

Gretchen Ramos, CIPP/US, CIPP/E, is an aggressive litigator with a long track record in complex commercial disputes. In addition to her prodigious legal skills, Gretchen brings a direct, no-nonsense approach to client service, and uses her creativity to simplify matters for in-house counsel with dozens of other cases – and little time – on their hands.

Gretchen is known for her ability to get to the heart of any dispute. She can quickly identify the key issues, eliminate the extraneous ones, and draw out a strategic roadmap that is both cost-...

415 743 2576
Annette Demmel, Information Technology Attorney, Squire Patton Boggs Law Firm

Dr. Annette Demmel is a partner in our Data Privacy & Cybersecurity Practice Group in Berlin. For 20 years, Annette has advised national and international businesses in privacy law, technology law, telecommunications law, intellectual property law, media law and competition law.

In particular, she leads the implementation of privacy compliance programs and centralized software systems, and provides advice on policy and regulatory issues arising in the electronic communications and internet sectors. Annette also advises clients on legal issues relating to profiling and online marketing business models.

She often acts as an external data protection officer. She also represents our clients in both in court and out-of-court disputes, often in matters involving cross-country issues.

  • Advising a multinational company on the outsourcing of the group IT services; negotiations with local Works Councils regarding privacy and co-determination rights with regard to cloud services and centrally managed solutions.
  • Project management for a multinational company on the implementation of privacy compliance solutions involving newly acquired companies in 20+ countries.
  • Advising a major international advertising holding on business models based on profiling and behavioral targeting.
  • Implementing cloud-based HR solutions in various international groups in more than 40 countries; leading negotiations with local data protection authorities and Works Councils.
  • Providing ongoing monitoring and analysis for a global communications provider, covering a broad range of telecommunications regulatory and competition law issues, including BNetzA market reviews and implementation of SMP obligations, abuse of dominance proceedings, spectrum policy, net neutrality and e-privacy.
  • Advising a US-based marketing company with one of the world’s largest databases for consumer marketing on data protection and serving as an external data protection officer for their German enterprise.
  • Advising an international electronics group on legal aspects of data security and data breaches.
  • Moderating roundtable discussions for the social media strategy and implementation in one of the world's best-known companies.
  • Structuring innovative e-business and entertainment platforms, and advising on internet-related data protection issues.
  • Defending an architect's copyright on a striking, contemporary building in Germany.
  • Representing a former state-owned company in several judicial IT legal matters.
+49 30 72616 8226