German DPAs Auditing 500 Companies International Data Transfer Practices
Friday, November 4, 2016
Breach, German DPAs Auditing 500 Companies International Data Transfer Practices

Related Practices & Jurisdictions
Print Mail Download i

On November 3,  ten of the German Data Protection Supervisory Authorities (“DPAs”) announced they will be working together to select approximately 500 companies in Germany to audit for international personal data transfers for the purpose of raising awareness of data protection law. Over the coming days, the investigations will be initiated with a questionnaire.  The DPAs claim they are conducting these audits because they are concerned that companies may not be aware they are transferring data outside of the EU due to the proliferation of cloud-based products and services. They assert the objective of the audit is to examine whether these transmissions are permissible under data protection law.

Next Steps

Lock, SecurityWhile the announcement notes this is an issue for both large and small businesses, the DPAs have not stated whether the investigations will be random or specifically targeted.  Thus, any company doing business in Germany is on notice and should determine whether they are transferring data outside of the European Economic Area. If so, companies should confirm that they have EU-U.S. Privacy Shield, EU Standard Contractual Clauses, Binding Corporate Rules, or consent from the data subject in place for these international data transfers. If none of these transfer mechanisms are in place, companies would be wise to immediately amend their contracts with EU Standard Contractual Clauses.

 Mitigation

Though the DPAs claim they want to raise awareness regarding data protection law, it remains unclear whether they will or will not fine companies found in violation of the law. Companies are urged to treat these audit questionnaires very seriously as German DPAs are able to assess a fine up to ‎€300,000 for unlawful data transfers.

By implementing a transfer mechanism, companies may be able to mitigate potential fines. This year, the Hamburg DPA announced they would audit cross-border data transfers to the US and three companies that were found in violation were able to reduce their fines significantly (‎between €8,000 to ‎€11,000 per company) by implementing Standard Contractual Clauses for cross-border transfers during the proceedings. However, multiple German DPAs have expressed their intent to penalize unlawful data transfers more harshly in the future so companies should be prepared for heftier fines if found in violation.

Zerina Curevac is co-author of this article. 

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Relying on CAFA's Discretionary "Home-State" Exception, Federal Court Punts Data Breach Class Action Back to State Court
by: Amy Brown Doolittle , Katherine A. Spicer
Why the Taylor Swift AI Scandal is Pushing Lawmakers to Address Pornographic Deepfakes
by: Susie Ruiz-Lichter
The Potential Mushroom Effect of the USPTO’s Mushrooming Patent Application Fees
by: Woli I. Urbe , Frank L. Bernstein
The USPTO Re-Explains What “Means” Means
by: Frank L. Bernstein
Singapore Progresses Towards Amended Cybersecurity Law
by: Charmian Aw
UK Litigation Funding Post PACCAR – Tying up Loose Ends
by: Helena Clarke , Rachael Markham
New York’s Renewed Efforts to Pass Sovereign Debt Legislation (US)
by: Jeffrey N. Rothleder , Tara Peramatukorn
I Won’t Take This Sitting Down – How To Escape Liability for Kind Thoughts in The Workplace (UK)
by: David Whincup
Heavyweight Fight, Did the US or EU KO the AI Treaty?
by: Andrea Otaola , Claire Murphy
Are you Ready for Washington and Nevada’s Consumer Health Data Laws?
by: Alan L. Friel , Kyle R. Fath

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins