On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.
The first version of the DPA-BW’s guidelines was published on August 25, 2020. The September 7, 2020 version aims to provide more certainty for companies, including a specific checklist for those transfering data to so-called third countries. Although these guidelines are not legally binding, even for companies operating within the jurisdiction of the Baden-Wuerttemberg DPA, they arguably illuminate the types of issues that supervisory authorities will be thinking about in light of the Schrems II decision:
- Create an inventory of data transfers to third countries
The DPA-BW recommends that companies immediately create an inventory of all cases in which they export personal data to third countries. This inventory may also include cases where private or public bodies in third countries may have remote access to data held by the business in the EU (e.g. interfaces, retrieval possibilities, remote maintenance); a “physical” export of the data is therefore not necessary.
- Check and adapt data privacy policies and records of processing activities
It is further recommended that companies check and adapt their data privacy policies, in particular with regard to their duty to inform in accordance with Article 13(1)(f) of the GDPR, which states that data subjects must be informed, not only of the company’s intention to transfer their personal data to a third country, but also of the specific transfer mechanism employed. Companies should update their policies if, for example, the EU-U.S. Privacy Shield is still named as a transfer mechanism.
Note: According to the DPA-BW, the continued reference to data transfers under the EU-U.S. Privacy Shield represents a potential risk that should not be ignored. Companies should therefore update any references to the EU-U.S. Privacy Shield and reassess their underlying processes. Meanwhile, U.S. authorities recommend that Shield-certified companies continue to comply with its requirements, even if the Shield is not the legal mechanism used for transferring data.
- Instruct data processors
The DPA-BW recommends that companies instruct in writing or by e-mail (as required by the relevant contract) all processors that transfer personal data to, or process personal data in, the U.S. under the EU-U.S. Privacy Shield to suspend the transfer of personal data to the U.S. This suspension should be done with immediate effect until a company’s processors or sub-processors have ensured that an adequate level of data protection in accordance with the GDPR is guaranteed in each individual case, for example, by using alternative processing and transfer mechanisms.
- Remain informed on the legal situation in third countries
The DPA-BW recommends that companies keep abreast of the legal situation in each third country to which they transfer data, in relation to data protection laws; the powers state authorities have to access data; any rights and legal protections afforded to businesses, the data importer, and the data subject; and current practices with regard to the level of data protection. Covington regularly assists clients with staying informed on data protection regimes in third countries.
The DPA-BW also recommends that companies stay informed about whether transfers of data to a third country can be based on an adequacy decision of the European Commission pursuant to Article 45 of the GDPR for that specific country, or if businesses can utilize the current Standard Contractual Clauses (“SCCs”) for a specific country. According to the DPA-BW, transfers of data to the U.S. based on SSCs are still possible if supported by additional guarantees (e.g. encryption and anonymization).
Note: In the updated version of the DPA-BW guidelines, “pseudonymizing” personal data has been removed as an example of a suitable further guarantee. However, the DPA-BW has removed this reference without any explanation. From our point of view, this does not necessarily mean that pseudonymization is no longer an appropriate or helpful safeguard.
- Consider the DPA-BW recommendations regarding the use of SCCs
In the absence of effective additional guarantees, the DPA-BW recommends that companies contact the respective recipient of the data and agree, in particular, on further terms or contractual language, which should be set out in a separate (supplementary) agreement that refers to the SCCs or is included in the SCCs. The DPA-BW also proposes specific changes to clauses 4f, 5d, 5h and 6 of the current SCCs. Note, however, that the European Commission is expected to release new SCCs by the end of 2020, which could influence how companies approach reliance upon the SCCs.
- Consider the DPA-BW recommendations regarding the use of Binding Corporate Rules (“BCR”)
The DPA-BW’s recommendations also impact companies that rely on Binding Corporate Rules to transfer data, and and additional guarantees may be also required in these cases.
Note: Significant changes to a company’s existing BCRs may require renewed approval by a competent supervisory authority.
- The DPA-BW recommends that companies consider whether the transfer of data can be based on an exemption under Article 49 GDPR. See our recent post on the S. Government Issues White Paper on Privacy Safeguards Following Schrems II.
- It further recommends that companies consider whether it is possible to use service providers that:
- commit to process data only within the EU;
- contractually undertake not to transfer data to a third country, or
- encrypt the data and have sole access to the key.
- Finally, the DPA-BW recommends that companies ensure that they can prove they have followed the aforementioned steps.
The DPA-BW also announced that it will consider whether there are reasonable alternatives to transferring data to third countries. If a company cannot convince the DPA-BW that transferring data to third countries is essential, the DPA-BW will prohibit the transfer of data.
To view Covington’s practical recommendations for immediate and long-term actions that businesses may want to consider implementing following the Schrems II judgment, see our September 4, 2020 blog post here.