Compliance checks of German supervisory authorities regarding the implementation of the Schrems II decision
As announced today (press release of the Berlin authority in German, PDF), the German supervisory authorities are carrying out coordinated compliance checks relating to international data transfers with the help of five different questionnaires in five topic categories. Each authority decides individually in which of these topic areas it will take action by sending out the corresponding questionnaires and which companies it will approach. The questionnaires indicated below are available in German only under the following links:
Email host: https://datenschutz-hamburg.de/assets/pdf/Antwortbogen_Mailhoster.pdf
Web host: https://datenschutz-hamburg.de/assets/pdf/Antwortbogen_Webhoster.pdf
Tracking: https://datenschutz-hamburg.de/assets/pdf/Antwortbogen_Tracking.pdf
Applicant portals: https://datenschutz-hamburg.de/assets/pdf/Antwortbogen_Bewerberportale.pdf
Intra-group data processing: https://datenschutz-hamburg.de/assets/pdf/Antwortbogen_Konzerninterner_Datenverkehr.pdf
Within this post, I would like to elaborate on a few issues that stood out during an initial review of the questionnaires.
Freedom from self-incrimination vs. duty to cooperate with supervisory authorities
Unlike some other questionnaires sent out in the past, the publicly available versions contain no indication of whether answering the questions is voluntary or mandatory. This will probably be explained in more detail in the accompanying letters from the authorities.
A very general duty of companies to cooperate with supervisory authorities is regulated in Art. 31 GDPR. How far this obligation reaches is currently completely unclear. It will not be possible to interpret it in such a way that companies have to incriminate themselves. Companies are protected under the nemo tenetur principle part of Art. 47 of the Charter of Fundamental Rights of the European Union. However, it should be noted that the CJEU has ruled in several cases that answering questions on “facts” is not contrary to the nemo tenetur principle (see, for example, CJEU Case T-112/98, marginal 78 on answering questions relating to facts vis-à-vis the Commission) and companies are obliged to answer such questions even if the answers are self-incriminating for them. This will also have to be applied to the questions of the German supervisory authorities, insofar as they relate exclusively to facts.
The situation may be different for questions in which the authorities do not ask for facts. For example, in question 9 of the questionnaire on email hosts / question 12 on web hosts / question 11 on web tracking / question 9 on applicant portals, in which a description of the reasons for the legality of the use of SCC and evidence for this is asked. Companies that have concluded that the recipient in the third country can comply with the obligations under the SCC are asked for reasons for this conclusion and evidence (question 8) within the questionnaire on intra-group data processing.
Questions on the records of processing activities
The questions of the different sheets overlap to some extent. In each case, for example, questions are asked about the roles of service providers (processors or joint controllers) and about an excerpt from the records of processing activities. Companies are obligated to provide the latter according to Article 30 (4) GDPR. Here, companies should note that the question about the records not only concerns the cooperation with service providers, but also deals, for example, with the "parts relating to the use of the website" or about "parts relating to the maintenance of the WWW pages". As I understand it, in the two cases cited, this means all entries in the records that concern data processing that takes place on the website. One could speculate that the authorities want to enable themselves to check websites even further by obtaining this additional information from the records of processing activities. Companies should definitely double check their records before releasing them as part of a response to the authority.
Question about possible disclosure of data in the third country
Within all questionnaires, the authorities would like to receive a response from companies to the following question:
"To the extent that the (possible) taking knowledge of personal data occurs in the U.S., are you or a recipient subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA), which allows U.S. authorities access to data at electronic communications service providers?"
The questionnaire on intra-group data processing also states as follows:
"Please note that it is already a transfer within the meaning of Chapter V of the GDPR if data stored in Germany, for example, can be accessed remotely by a person located in a third country."
It is noteworthy here that the supervisory authorities repeatedly refer to a purely theoretically possible remote access as a "data transfer". However, there is no indication in the GDPR that even a purely possible, but not actually occurring, taking of knowledge or such a theoretically possible remote access is a data transfer. Consequently, it is questionable what the authorities want to make of the answer to their question. It is at least imaginable that companies answer "yes" to the question, but for them, in the absence of a data transfer that has actually taken place, the requirements of the GDPR on data transfers do not apply at all and therefore the obligations from the SCC do not apply to the service provider with regard to the purely theoretical transfer.
Question regarding the change in the legal situation
In principle, there are many overlaps in the questionnaires. Within the questionnaire on applicant portals and the one on intra-group data processing, there is a question on data transfers that is not included in the other questionnaires and which reads as follows:
"Since the legal situation in the third country may change: How do you ensure a quick response and data protection compliant adaptation to new circumstances?". In particular, describe the notification and response process between your company and the recipient in the third country."
The question will be easy for companies to answer (at least on paper). Within the SCC, there exists an obligation for the recipient located in the third country to inform the EU-based controller of changes in the legal situation. Therefore, it might be sufficient that in a case described in the question, the communication is done via email and the parties in such a case come together and assess the need to agree on additional measures for data transfers or to contact a competent supervisory authority.