On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German). The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”). Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.
Among other things, a proposal was put forth to begin directly querying organizations in Germany about the practical steps they have taken (if any) to ensure the lawfulness of their personal data transfers. In particular, the Hamburg SA indicated that it would begin carrying out random checks using an “agreed questionnaire” with specific queries on how controllers are implementing the CJEU’s judgment, and each German SA would be free to decide whether it will also carry out such checks.
In light of this development, companies transferring personal data outside of Europe (including to the United States) should be aware that their transfers may soon be subject to greater scrutiny in Germany. Therefore, if they have not already done so, companies should take account of their transfers and consider what additional measures may be needed to demonstrate compliance with the Schrems II decision. Among other things, they may want to consider the European Data Protection Board’s draft recommendations on measures that supplement transfer tools to ensure an adequate protection of personal data (you can find our prior blog post on those draft recommendations here).