The protection of personal data played a major role even before the introduction of the General Data Protection Regulation (GDPR). Given that similar levels of data protection are not guaranteed in every country, companies must pay particular care when transferring customer data and employee data to non-member countries outside the European Union or the European Economic Area.
The Court of Justice of the European Union defined the data protection requirements for data transfer to non-member countries in its Schrems II judgment dated 16 July 2020 (Ref.: C-311/18). The judgment declared the EU-US Privacy Shield invalid. Data transfer can still be based on the standard contractual clauses (SCC) of the EU commission. However, concluding the contract with these clauses alone is no longer adequate. If the data exporter intends to transfer personal data to a non-member country on the basis of the SCC – because reasonable alternatives are not available – they first have to assess whether an adequate level of data protection is guaranteed for the data specifically being transferred to the target country. If this is not the case, additional measures must be taken to guarantee an adequate level of data protection.
Data protection authorities send out questionnaires
The data protection authorities in a number of German states (Baden-Württemberg, Bavaria, Berlin, Brandenburg, Bremen, Hamburg, Lower Saxony, Rhineland-Palatinate, Saarland) are currently reviewing whether companies are taking suitable measures to implement the CJEU decision. Accordingly, the states are sending out questionnaires to selected companies. The surveys cover the following:
- the use of e-mail service providers when sending e-mail,
- the use of hosting providers for websites,
- the use of web tracking,
- the use of service providers for applicant data management and
- the exchange of customer and employee data within the corporate group.
CJEU: non-member countries must guarantee an adequate level of protection
The background: In its Schrems II judgment, the CJEU clearly stated that personal data transferred to a non-member country on the basis of the standard protection clauses must have an adequate level of protection. This must be the equivalent of the level guaranteed by the GDPR in the EU. When evaluating the level of protection, the contractual regulations between the exporter located in the EU and the recipient in a non-member country must be considered. The ability of the authorities in the non-member country to access the data is also subject to protection.
If the data protection required under EU law cannot be complied with in the non-member country, the responsible authorities must seize or prohibit the data transfer to the non-member country. This was clearly stated by the CJEU. In this context, the court also declared the Privacy Shield data treaty with the USA to be invalid.
Unintentional cross-border data traffic
The CJEU decision has far-reaching consequences for companies. The companies must ensure that an adequate level of data protection is guaranteed for data transfer to non-member countries. The data protection authorities are currently investigating whether companies have implemented the CJEU requirements. Cross-border data traffic often occurs unintentionally simply by using conventional service providers such as e-mail providers. This is precisely why such a large number of companies is affected.
Internal transfer of employee data
Data protection not only applies to handling sensitive customer data, but also applies to the transfer of employee data within the company. A corresponding level of protection must also be ensured in this case. Data transfer in the sense of the GDPR can be assumed if an employee can access the data remotely in the non-member country.
The data protection authorities have to investigate whether the data protection is guaranteed in accordance with the Schrems II ruling. Many companies will need to change long-standing business processes – including how they handle employee data internally.