GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

By Jan Spittka und Jan Pohle

While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).

Enquiry of the DPAs

On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.

Legal Background

The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.

 Practical Impact

  • Companies using Cloud Computing should be alarmed.
  • DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
  • Such investigations could lead to administrative fines up to EU 300,000.
  • Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers, following measures will probably be taken.