Mass Audit in Germany concerning 500 firms’ cloud transfers

8. November 2016

As the IAPP just published online, 10 of the 16 German Data Protection Authorities, have begun to assess firms’ transfer of personal data to cloud services based outside of the EU.

According to a joint statement of the respective Data Protection Authorities this is due to the fact that cross-border personal data transfers are growing massively, because of globalization and the rise of software-as-a-service.

Therefore, a mass audit is conducted, which takes about 500 randomly selected companies of various sizes into account. This audit is based on questionnaires asking about their transfers of employee and customer personal data to third countries, in particular to the U.S. while using services such as:

  • office apps,
  • cloud storage,
  • email and other communications platforms,
  • customer service ticketing,
  • support systems and
  • risk management and compliance systems.

In case a company transfers personal data to third countries, it has to show the legal grounds they are using, for example Standard Contractual Clauses or the EU-U.S. Privacy Shield.