Late last week, 10 of Germany’s 17 Data Protection Authorities (DPAs) announced they are planning to send written questionnaires to approximately 500 different companies regarding international data transfers. The following provides a brief overview of the situation, as well as an English translation of the questionnaire, for companies who are potentially affected.
This summary refers to the German DPA questionnaire as a “survey.” In press releases and interviews, the German DPAs have been careful to state that the questionnaire is not an audit or enforcement action. Additionally, many German DPAs are operating near capacity – for example, the head of Bavaria’s DPA has stated in media reports that he has 16 full-time employees responsible for supervising 700,000 data controllers. It would be difficult for DPAs operating at that workload level to immediately begin full-scale audits of multiple companies. Nonetheless, noncompliance – which can also arise from delayed, incomplete, or incorrect answers to the DPAs’ questionnaire – can potentially lead to more probing investigations and enforcement actions.
1. Participating DPAs
The following DPAs are participating in the survey. Companies with subsidiaries, branches, facilities, or assets in the participating German states may potentially receive a questionnaire.
Participating | Not Participating |
Bavaria | Baden-Württemburg |
Berlin | Brandenburg |
Bremen | Hessia |
Hamburg | Saxony |
Mecklenburg-Vorpommern | Schleswig-Holstein |
Lower Saxony | Thuringia |
North Rhine-Westphalia | Germany’s Federal DPA |
Rheinland-Pfalz | |
Saarland | |
Saxony-Anhalt |
2. Scope and Purpose of the Survey
As stated above, approximately 500 companies operating in Germany will receive written questionnaires in the coming weeks. The German DPAs state that they have chosen companies that represent a range of small, medium, and large companies – but also state that within those ranges, individual companies were selected at random.
In press releases, the participating German DPAs uniformly describe the mission of the survey as “sensitizing companies to transfers outside the EU” that occur through third-party-offered services and applications. The DPAs state their experience is that most companies are not aware of the international transfers that cloud-based software and services entail. As a result, almost all the questions asked in the survey are aimed at identifying what cloud-based services companies are using. Also, some of the DPAs have stated that the survey is intended to generate an overview of the cloud-based market, which could be used as a baseline for future supervisory activities.
3. Questions Asked in the Survey
The questionnaire is approximately 2.5 pages long, and can be downloaded (in German) by clicking here. To assist companies, Alston & Bird is also offering an unofficial and unsanctioned English translation of the questionnaire, which can be accessed by clicking here.
The questionnaire has 4 sections: (1) Transfers to the US; (2) Transfers to Other Third Countries; (3) Types of Transfers; and (4) Involvement of Internal Data Protection Officers.
For (1) (Transfers to the US), the questionnaire shows German DPAs making sure companies have legal bases in place justifying transfers to the US. Importantly, the questionnaire is also designed to figure out (a) whether any companies are still relying on Safe Harbor; and (b) whether German companies are performing the due diligence German DPAs require to make sure Privacy Shield certifications of US data importers are valid.
For (2) (Transfers to non-US Third Countries), the intent appears to be to ascertain what non-US countries employee & customer data is flowing towards.
For (3) (Types of Transfers), the DPAs ask companies whether they are receiving any of the following services from external providers:
- remote maintenance;
- product/software support;
- employee travel management;
- customer relationship management or marketing;
- recruiting services, job application management, or skills databases;
- cloud-based storage;
- communication services (e.g. email, video conferencing);
- cloud-based office solutions;
- collaboration platforms (e.g. document sharing or instant messaging);
- ticket or support systems to handle requests of German customers;
- risk management or compliance services (e.g. a complaint hotline); or
- any other external-provider-offered service.
To the extent it is possible that personal data are transferred outside the EU/EEA in connection with a company’s use of any of these services, the DPAs ask the companies to identify the service(s) at issue.
For (4) (Internal Data Protection Officer), the questionnaire shows German DPAs stating that companies with internal Data Protection Officers (DPOs) should have their DPO involved in assessing the legality of international transfers. If the DPO is not involved, the questionnaire states that companies may have to justify the exclusion to DPAs.
4. Next Steps
The German DPA questionnaire provides an excellent opportunity for affected companies to obtain an overview of the international transfers generated by the third-party business solutions they are presently using. Also, German DPAs are doing companies a favor by providing a foretaste of the kind of recordkeeping that will be expected once the EU’s General Data Protection Regulation (GDPR) enters into force in May 2018. Article 30 of the GDPR requires data controllers to keep detailed records of all processing activities for which they are responsible, and to produce these records to DPAs upon demand. German DPAs traditionally consider transfers a processing activity, meaning that third-party (or cloud-based) services that involve transfers should be contained within a company’s processing records. Many companies are presently installing uniform record formats for entities that collect or process EU data, as well as processes for keeping and regularly updating centralized records of their processing activities. Once the GDPR enters into force, the penalty for not having complete records in place for DPA inspection will be €10 million or 2% of a company’s annual worldwide turnover.
The German DPAs’ survey also serves as a reminder that companies need to assess whether they must appoint a DPO – and if so, that they need policies and processes in place to involve the DPO in matters that involve processing or transferring EU data. The GDPR requires any company whose core activities involve large-scale monitoring to appoint a DPO, and also permits EU Member States to require DPOs in further situations. An early draft of new German data protection laws shows Germany – similar to its present regime – requiring companies to appoint a DPO as long as there are 10 full-time employees regularly processing personal data. Under the GDPR, failure to appoint or properly involve a DPO can result in fines of €10 million or 2% of a company’s annual worldwide turnover.
* * * * *
Alston & Bird is closely monitoring the results of the German DPAs’ transfer survey, and has German-fluent resources able to assist companies with any questions. For more information, contact Jim Harvey or David Keating.