The “ruling” presented in the “Standard” concerns a remedy procedure concluded without formal supervisory measures regarding a complaint by a data subject, in which the controller (an individual company) that had used Mailchimp had, after our request for comments and detailed information on the consequences of the Schrems II- decision, announced that it had now refrained from using Mailchimp.
Our final notice to the complainant, which apparently formed the basis of the publication and was sent in mid-March, had the following wording in extracts and translated informally:
“… We are referring to your data protection complaint against …. concerning the use of “Mailchimp”. As a result of our intervention, the company has informed us that it had used Mailchimp twice to send newsletters. As a result of our intervention, the company has now informed us that it will no longer use Mailchimp with immediate effect.
The company also informed us that it had only transmitted email addresses to Mailchimp in the context of the above-mentioned use. It also mentioned that the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation; this is correct.
According to our assessment, the use of Mailchimp by …. in the two cases mentioned – and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint – was unlawful under data protection law, because …. had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “
We informed the company that, due to the above, the above-mentioned transfers of personal data to the U.S.- were not lawful.
“The processing of your complaint is thus concluded. This letter constitutes the legally required information on the outcome of the processing of your complaint pursuant to Art. 77 (2) of the GDPR. “
This case is exemplary for our supervisory enforcement of the requirements of the ECJ decision, which, contrary to recurring criticism, has already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions and has so far succeeded with above-average frequency in reaching agreement.
For more information, please contact the Bavarian DPA: firstname.lastname@example.org