Company ordered to cover repair costs for customer Summary • Depending on the outcome of this assessment, A German company used Mailchimp as a newsletter the data exporter and the data importer may tool. A data subject claimed that transferring email be required to implement and prove adequate addresses of the company’s newsletter subscribers to supplementary measures in order to safeguard the Mailchimp, which is a US-based company, constituted data. an unlawful third-country transfer pursuant to the GPPR. • For this purpose, if the data importer does not require ‘data in the clear’, you can implement The Decision of the Bavarian State Office for effective encryption as a supplementary measure. Data Protection Supervision (BayLDA) (See ComplyCloud Transfer Roadmap for an exhaustive overview) As the company informed the DPA that it had used Mailchimp only twice and confirmed that it would stop ° Data must be subject to transfer encryption prior to using the service with immediate effect, and as the final transfer on the ‘data layer’. EDPB guidelines on the supplementary measures for ° The encryption must be ‘state-of-the-art’. transfers of personal data to third countries were not yet finalized, the DPA did not impose a fine or take any ° The encryption keys must be reliably managed (must other enforcement actions. be kept under the sole control of trusted parties Our remarks in the EEA or a country which offers an essentially equivalent protection). • When using services that require transfers to third ° ‘Backdoors’ must be excluded. countries, first see if the country in question has received an adequacy decision from the European • If the importer needs the data in the clear, you Commission. Data transfer to these countries must demonstrate and document that you have is expressly permitted. The countries that have no reason to believe that relevant and problematic received adequacy decisions are: legislation will be applied in practice. ° Andorra, Argentina, Canada (only commercial ° To rely on a ‘no reason to believe’-assessment, organizations), Faroe Islands, Guernsey, Israel, Isle you must be able to demonstrate and document of Man, Jersey, New Zealand, Switzerland, Uruguay, that the law is not interpreted and/or applied in Japan, the United Kingdom and South Korea. practice to cover your transferred data and importer • When transferring data to unsecure third countries, (for a list of possible sources of information, see conduct a Transfer Impact Assessment (TIA) to EDPB recommendations 01/2020 on measures that assess the adequacy of the data protection level supplement transfer tools to ensure compliance of the data importer to ensure EU level protection with the EU level of protection of personal data of personal data. Data controllers must take paragraphs 44-47). the wording of the SCCs (Standard Contractual • At appropriate intervals, evaluate the level of Clauses) and the legal system of the third country protection afforded to the personal data you into account, in particular with regards to access to transfer to third countries and monitor if there have the transferred data by public authorities (such as been or there will be any legal developments that intelligence services) in the third country. may affect it. Published: 15-3-2021 Journal number: LDA-1085.1-12159/20-IDV Tags: 06 Transfers to third countries 57