Following the CJEU's judgment of October 2015 invalidating
the European Commission's Safe Harbor Decision, the Data
Protection Authority Hamburg (“DPA
Hamburg“) started investigations against 35
internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June
2016, these investigations revealed that the majority of the
companies under investigation had used the six months grace period, as set by the
Article 29 Working Party, to change their practices to
be based on standard contractual clauses. However, according to DPA
Hamburg, some companies under investigation have failed to
implement alternative measures in order to legitimize data
transfers to the United States. Consequently, DPA Hamburg
determined that data transfers by those companies lack a sufficient
legal basis and are, therefore, illegal.
Whereas some of the
proceedings are still pending, three penalty notices issued by DPA
Hamburg have in the meantime become binding. Notably, the affected
companies have, once under investigation, also implemented standard
contract clauses. Johannes Caspar, the Hamburg Data Protection
Commissioner, said that, when calculating the fines, DPA Hamburg
took into account that the companies fined have in the meantime
changed their practices and now have standard contractual clauses
in place. However, he also emphasized that future violations might
result in even higher fines. According to press articles, DPA
Hamburg imposed fines in the range between EUR 8,000 and
EUR 11,000. The German Federal Data Protection Act
(Bundesdatenschutzgesetz – BDSG) provides for fines
of up to EUR 300,000 for each breach.
The investigations of DPA Hamburg demonstrate that German DPAs
are keen to investigate and fine companies which have failed to
take appropriate measures following the invalidation of Safe Harbor
in October 2015. Companies are called on to ensure that there is a
solid legal basis for data transfers to the United States in place.
For the time being, the implementation of standard contract clauses
appears to be the most suitable replacement for Safe Harbor.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The EU Commission has now formally adopted the EU-US Privacy Shield arrangement for the legal transfer of personal data from the EU/EEA to the US.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).