You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
Data protection activists have lodged a complaint with the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht, "BayLDA") arguing that the use of the respondent's newsletter provider Mailchimp was unlawful under Art 44 et seq GDPR because of the transfer of personal data (i.e. e-mail addresses) to this US-based company. In March, the BayLDA held that the transfer of e-mail addresses is unlawful1, following the CJEUs ruling on the transfer of personal data to the USA (Schrems II, Privacy Shield).2 Due to this ruling, data may only be transferred from the EU to the USA if the controller assesses beforehand whether there are additional measures to the controller's standard data protection clauses under Art 46 GDPR in place to guarantee protection of the transferred data from US surveillance.
In the case at hand, Mailchimp based its data transfer on such standard data protection clauses without offering additional safeguards. According to the BayLDA, Mailchimp arguably qualifies as an "electronic communication service provider" under US surveillance law, which means that transferred personal data is in danger of being processed by US intelligence agencies.3 As the controller, a company based in Munich, failed to assess if there are additional safeguards in place, the BayLDA held that the transfer of e-mail addresses to Mailchimp is in itself unlawful.
The decision of the BayLDA is not a binding court ruling and is only applicable to the case at hand. However, when presented with a similar case, other DPAs are also likely to make the same decision. In addition, it can be presumed that in light of Schrems II, courts in EU Member States would uphold such a decision.
It must be noted, however, that the BayLDA only held that a controller is obliged to assess whether additional safeguards to standard data protection clauses are in place before transferring personal data to a US-based processor, not prohibiting the transfer in general.
Companies using Mailchimp or other US-based processors for e-mail marketing do not have to stop using them. To minimise legal risks, however, an internal assessment answering the following questions should be carried out as soon as possible:
Apart from exceptional cases (as mentioned under Pt 2), the level of data protection and the technical and organisational measures taken by Mailchimp are arguably considered to be sufficient, although there is no established case law on this as yet. Depending on the result, controllers who have carried out this assessment can decide whether they want to continue using Mailchimp/US-based processors. In any case, they have fulfilled the requirements laid down by the BayLDA.
Another viable alternative is to use an EU-based (e-mail marketing) processor that does not transfer data to the US or other non-member states of the EU.
1 BayLDA 15 March 2021, LDA-1085.1-12159/20-IDV.
2 CJEU 16 July 2020, C-311/18.
3 cf. FISA702 (50 U.S.C. Section 1881).
author: Terharen Florian
Florian
Terharen
Attorney at Law
austria vienna