Tag Archive: Germany

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

by Jan Spittka und Jan Pohle

While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).

Enquiry of the DPAs

On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.

Legal Background

The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.

 Practical Impact


  • Companies using Cloud Computing should be alarmed.
  • DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
  • Such investigations could lead to administrative fines up to EU 300,000.
  • Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers,       following measures will probably be taken.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-cloud-computing-and-trans-border-transfers-of-personal-data-under-review-of-german-dpas/

GERMANY: Bavarian Data Protection Authority issues guidance on GDPR Sanctions

By: Dr. Thomas Jansen and Mari Martin

On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (German-language only).


The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.

Amount and Scope of Administrative Violations and Fines Increased

According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.

Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”

The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.

The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.

According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.

Fines Imposed for Violations of Technical and Organizational Measures

In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.

Factors Influencing the Amount of Fines

According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.

As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.


All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.

In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.

If you would like to discuss how we can help your organisation, please get in touch with your usual DLA Piper contact or email us at dataprivacy@dlapiper.com.

For further information on the GDPR please visit our dedicated GDPR microsite.


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/

GERMANY: Substantial fines for companies still relying on the now-defunct Safe Harbor Agreement

By: Dr. Thomas Jansen (thomas.jansen@dlapiper.com) and Verena Grentzenberg (verena.grentzenberg@dlapiper.com)

One of Germany’s state data protection authorities, the Hamburg Data Protection Authority (“DPA”), has announced that it will impose fines on companies which are still relying on the Safe Harbor Scheme.

On 6 October 2015, the European Court of Justice (“ECJ”) declared the Safe Harbor Scheme invalid. In the aftermath, the European DPAs set a grace period until 31 January 2016 which allowed firms to rely on the Safe Harbor Scheme as a legal basis for data transfer.

This grace period has now expired. “I did not expect international companies to continue data transfers to the U.S. relying on the Safe Harbor Agreement as a legal basis” said Johannes Caspar, head of the Hamburg DPA.

After expiration of the grace period, the Hamburg DPA has initiated administrative proceedings against companies that were unable to provide alternative safeguards, such as EU-Model Clauses or Binding Corporate Rules (“BCRs”).

Currently, the Hamburg DPA is preparing to commence proceedings against three large international companies. The DPA has not released the names of the companies yet, but it has revealed that two additional companies are also under investigation.

The proceedings may lead to fines of up to 300.000 EUR per breach.

Several German DPAs have expressed serious doubts that the EU-Model Clauses and BCRs meet the requirements of the ECJ decision, including the Hamburg DPA. Also it has been officially announced by all German DPAs that transfers based on EU- Model Clauses and BCRs will be reviewed in detail, in particular, in case of complaints by data subjects. However, most German DPAs indicated informally that they will accept these alternative measures as long as the Article 29 Working Party has not decided otherwise in a formal statement. Consequently, in general, companies can currently rely on EU-Model Clauses and BCRs as a valid legal bases.

On 2 February 2016, the U.S. and the EU reached an agreement on the key principles of the future transatlantic data transfer (EU-US-Privacy Shield) which imposes stronger obligations on companies in the U.S. to protect European’s personal data. It also provides for stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including increased cooperation with European Data Protection Authorities. This agreement will replace the Safe Harbor Agreement and is currently being reviewed by Europe’s data protection regulators. The Article 29 Working Party has stated that no actions need to be taken until it has been determined that the agreement satisfies the privacy concerns.

We will keep you posted about future developments.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-substantial-fines-for-companies-still-relying-on-the-now-defunct-safe-harbor-agreement/

GERMANY: ECJ Safe Harbor Decision German Update

Off the record we received some additional information on the further approach in terms of Safe Harbor:


German data protection authorities have scheduled a meeting on Friday where they will discuss how to proceed in Germany in implementing the decision of the European Court of Justice.  The outcomes of that meeting will then be coordinated with the European data protection authorities. Until that occurs, no joint press release from data protection authorities in Germany should be expected.


In a German data protection authority’s off-the-record view, the invalidity of Safe Harbor will apply from now on (ex nunc) and not retroactively (ex tunc). This is in line with paragraph 52 of the European Court of Justice Decision (C-362/14) and good news for German companies.

But the same data protection authority also indicated that a grace period to shift from Safe Harbor arrangements to the EC Model Clauses might not be granted. Although this off-the-record statement is, of course, not official and not coordinated with other data protection authorities, we highly recommend entering into EC Model Contracts with service providers as soon as possible, because data protection authorities are entitled to order suspension of services under Safe Harbor with immediate effect.

Bremen’s data protection authority already stated in an official press release that it expects all companies seated in Bremen to react immediately (https://ssl.bremen.de/datenschutz/sixcms/media.php/13/Pressemitteilung+Safe+Harbor.docx.pdf).


We have heard off the record from at least one DPA that in their view, because it will be possible for US governmental organizations, such as the NSA, to access personal data of European individuals in the US, putting EC Model Clauses in place will still not ensure an adequate level of data protection. Nevertheless, absent a court decision of invalidity, they wouldn’t prohibit the processing and/or transfer of personal data covered by EC Model Clauses for the time being.


It is already very challenging to obtain getting a declaration of consent of each affected person. The European Court of Justice decision may make full compliance with requirements for obtaining valid consent UNDER GERMAN LAW even more difficult. The transferring party must not only inform about the categories of data, the receiving party, purposes of processing, right to rejection and inadequate level of data protection in the US, but also about missing enforcement and deletion, blocking and erasure rights of the affected individual. –

In summary, as EC Model Clauses have not been declared to be invalid, entering into EC approved Model Clauses is currently the safest way to structure data processing and/or data transmissions in the US of personal data from Germany.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/further-approach-in-germany/

GERMANY: Government proposes draft law introducing class actions for data protection violations

On 4 February 2015, the German federal government published a draft law on the improvement of enforcement of data protection provisions protecting consumers (Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts) (“Draft Law”). Provided the Draft Law passes the German parliament, consumer protection associations and industry chambers will be able to file class actions against companies violating data protection provisions protecting consumers.


According to its reasoning, the new law intends to protect consumers from increased threats due to recent technical developments. As a result of the continuous development of information technology, it has become simpler and faster to collect and process personal data. Personal data are often used for purposes different from the original purpose for which the data were collected, without sufficient information being given to the data subjects or obtaining proper consent. For example, service providers offering free online services through apps or social networks use the personal data originally collected for the purpose of providing their service for profiling, advertising, data warehousing, and market research, with the aim of making their service more profitable.


Under the existing laws, consumer protection associations have very limited means to act in the case of data protection violations: they may only file cease and desist orders against companies whose general terms and conditions violate data protection laws. In particular, class actions are not permissible since, to date, courts have not recognized data protection laws as laws protecting consumers.


According to the Draft Law, the existing Injunctions Act (Unterlassungsklagegesetz, “UKlaG”) applicable to consumer protection laws will be extended to explicitly cover provisions regulating the admissibility of collecting and processing consumers´ personal data in the following areas: advertising, market and opinion research, scoring, creating personality and user profiles, as well as data warehousing (i.e. selling address data and other personal data for commercial purposes). As a result of this change, consumer organizations will be entitled to file for a cease and desist order if a company violates data protection laws to the disadvantage of consumers by collecting or using personal data for any of the above commercial purposes. However, it should be noted that the Draft Law protects the collective interests of consumers. Such interests are affected only if the significance and weight of the violation of data protection laws goes beyond the individual case. This applies especially if a large number of consumers are affected.


As a result of the proposed law, companies processing personal data for one or more of the mentioned commercial purposes should be prepared to face severe consequences for inadmissible practices. Consumer protection associations are likely to focus on consumer data protection compliance in the future. This will lead to an increased risk that non-compliance with data protection laws will be detected, which may not only lead to financial damages but also to competitive disadvantages and loss of reputation. Companies are well advised to review and adapt relevant data processing practices in order to be prepared once the new law enters into force.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-government-proposes-draft-law-introducing-class-actions-for-data-protection-violations/