International data transfers under scrutiny: German DPAs launch joint multi-state audits

At the beginning of the year, the German data protection authorities (DPAs) announced that they would take joint action to enforce the decision of the European Court of Justice (ECJ) in the "Schrems II" case. On June 1, several German DPAs published statements that they have now launched a multi-state audit process to examine data transfers by companies to countries outside the European Union (EU) or the European Economic Area (EEA) (third countries).


In its Schrems II decision (judgment of July 16, C-311/18), the ECJ found that transfers to the U.S. can no longer be made on the basis of the EU-US Privacy Shield adequacy decision. Furthermore, the ECJ held that the use of the standard contractual clauses (SCCs) for data transfers to third countries is only permitted where the controller has assessed the risk to transferred data, and implemented any additional measures necessary to ensure its adequate protection (see our blog post here). Later in 2020, the European data protection authorities published additional guidance on how companies can comply with these requirements(see our blog post here).

The requirement to conduct a risk assessment and implement additional measures where necessary remains relevant to the new set of SCCs recently adopted by the European Commission (see our summary here).

Which German DPAs are participating in the audit?

According to the press statements, the DPAs of the following nine German federal states have contacted selected companies requesting that they complete questionnaires:

  • Baden-Württemberg,
  • Bavaria,
  • Berlin,
  • Bremen,
  • Brandenburg,
  • Hamburg,
  • Lower Saxony,
  • Rhineland-Palatinate and
  • Saarland.

Public announcements of the multi-state audit can be found in press statements of several DPAs, including the DPAs of Berlin, Hamburg and Lower Saxony.

What is the general scope of the audit?

The questionnaires cover different scenarios that typically involve data transfers to third countries. In particular, they request information about recipients’ use of:

  • email services;
  • web hosting services;
  • web tracking services;
  • services for the management of job applicant data; and
  • intragroup transfers of customer and employee data.

Each DPA reserves the right to decide individually which of these subject areas it will examine when reaching out to companies under its supervision, and whether to amend the questionnaire regionally. For instance, the DPA of Lower Saxony has sent out questionnaires covering the use of email and web hosting services to 18 companies in Lower Saxony from various industries.

The questionnaires jointly agreed between the above DPAs can be accessed here (in German language):

Which information is requested from companies?

The questionnaires each comprise five to ten pages and are obviously aimed at providing the DPAs with a comprehensive and detailed picture of companies’ compliance with international data transfer requirements. Each questionnaire follows a similar structure, which can roughly be divided into the following sections.

The first section contains questions around whether the addressed company transfers personal data outside the EU/EEA and what service providers it has engaged, including their location.

In the second section, companies are requested to provide information on the legal basis upon which they are transferring personal data to data recipients outside the EU/EEA. The company may select the following legal bases for the international data transfer:

  • Adequacy decision;
  • SCCs;
  • Binding Corporate Rules;
  • Exceptions under Article 49 GDPR; or
  • Other transfer mechanisms.

Where the company bases transfers on SCCs, it must provide a copy of the signed SCCs and indicate whether it made an assessment regarding the level of data protection in the third country receiving the data. In particular, the DPAs ask whether the company determined that there are no provisions in the laws of the third country that make it impossible for recipients to comply with their contractual obligations under the SCCs, in order to ensure that the level of data protection of individuals guaranteed in the EU/EEA is not undermined.

Where the data recipient is located in the U.S., the company must indicate whether the data importer is considered an electronic communication service provider and subject to FISA 702.

Depending on the result of this assessment, the company must (1) either indicate the reasons why it concluded that the data recipient can in fact guarantee performance of the contractual obligations under the SCCs and provide respective evidence; or (2) why it concluded that the data recipients cannot guarantee the performance of their contractual obligations under the SCCs, and indicate what additional measures it has consequentially implemented.

In addition, companies are requested to answer questions regarding measures they have taken, such as the use of encryption, which ensure the ongoing protection of transferred data in the event of new circumstances (such as a change to relevant laws).

Where companies have not yet fully implemented any necessary measures to protect transferred data, they are requested to provide information on whether they have initiated efforts to do so.

Lastly, companies are requested to provide all relevant parts of their record of processing activities relating to their use of email services, web hosting services, web tracking services, job applicant data management services and international intra group data transfers.

Key take-aways and next steps

The German DPAs have stated on several occasions that they are aware of the immense practical challenges that the ECJ ruling poses for companies in Germany and Europe. However, they have also made clear that they expect controllers to seriously consider and address the new requirements, and to independently seek solutions which ensure compliance with the GDPR and reduce the risks to individuals whose data are transferred to third countries. The current audit underlines this position.

Given that the GDPR entitles DPAs to take further enforcement action, including binding orders to cease cross-border data transfers and high fines, companies should carefully consider their response to these questionnaires. Whilst it is often advisable to adopt a cooperative approach when communicating with DPAs, companies should be aware of their rights under German administrative and procedural laws. In particular, under German administrative laws a response to an audit questionnaire is only legally required to the extent a DPA has issued a binding formal administrative act. Companies are also entitled to access the DPA’s internal files in the underlying case.


Authored by Henrik Hanssen and Theresa Mengler.


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.