First fines regarding unlawful data transfer to the U.S. imposed by German DPA

The Hamburg DPA has recently issued a press release announcing that it has been investigating 35 international organisations with German headquarters in Hamburg and that so far it has imposed fines on three multinational companies for unlawful transfer of personal data to the U.S. based on Safe Harbor.

The DPA of Hamburg argued that it started detailed investigations in February after the deadline of the WP29 had ended and that companies have had enough time to review their data streams and establish replacement legal grounds for data transfers to the U.S. In the respective three cases the organisations based their data transfer to the U.S. on Safe Harbor only, however the DPA took into account that those organisations have now adopted Model Clauses to legitimise the transfers. As a result, the fines are relatively low, ranging between EUR 8,000 and 11,000. However, the DPA of Hamburg warned that future cases would most probably incur larger fines.

According to information obtained by the German media, proceedings commenced by the Hamburg DPA relating to two other organisations are still pending, and a fine notice in another case is soon to be issued.

Meanwhile, the DPA of Rhineland-Palatinate has recently been investigating several companies in relation to data transfer to the U.S. and found violation of current data protection law in at least 16 cases. It announced that proceedings will be commenced should it detect more non-compliance regarding the new requirements following CJEU Schrems.

Companies that relied solely on Safe Harbor for transferring data to the U.S should now switch to Model Clauses or BCRs in order to avoid proceedings which could well lead to fines higher than those imposed in these cases.

The press release of the Hamburg DPA can be accessed here (German only).