500 companies to be randomly investigated for international transfers | Fieldfisher
Skip to main content
Select location United Kingdom
Insight

500 companies to be randomly investigated for international transfers

Marcus Kamp
03/11/2016
500 companies will be randomly investigated in Germany for their compliance with international data transfer rules. Want to know more - then read on!

The German Data Protection Supervisory Authorities today announced that they have randomly chosen 500 companies in Germany to investigate their transfer of personal data outside the EU (German readers can see here for the announcement). The selected companies are of different sizes so that not only international corporate groups will be affected by this investigation, but also smaller businesses. The 10 Data Protection Supervisory Authorities concerned have in particular identified the increasing use of cloud-based services as a major risk for the violation of data protection laws.

According to the Data Protection Supervisory Authorities, the main purpose of this investigation is to raise awareness of the need to comply with international data transfer rules. The selected companies will receive information requests from the Data Protection Supervisory Authorities within the next days.  While the investigation is ostensibly for the purposes of awareness-raising, the possibility of more detailed investigations - and even enforcement - cannot be ruled out, especially for any companies contacted which are found to be materially out-of-compliance.

Legal background

A transfer of personal data outside the EU is only lawful in case an appropriate data protection level similar to the one in the EU is also guaranteed in the country where the data is transferred. Accepted standards are mainly a certification by the EU-U.S. Privacy Shield, data transfers based on the EU Standard Contractual Clauses, Binding Corporate Rules, or if the respective data subject has voluntarily agreed on the data transfer.  For more on this topic, please refer to our previous blog posts here.

Recommendation

Companies who receive the respective information requests from the German Data Protection Supervisory Authorities should carefully reply to this. Although the main purpose of this investigation shall be to raise awareness, the Data Protection Supervisory Authorities have the right to impose a fine of up to EUR 300,000 in case of a violation of data protection rules. They have exercised this right more and more frequently in recent years.