While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twiddling their thumbs.
Hamburg’s data protection commissioner, the head of one of 16 Federal German data protection authorities (“DPA”), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.
Recent enforcement actions by the Bavarian Data Protection Authority (DPA) [Bayerisches Landesamt für Datenschutzaufsicht] highlight the importance of severe restrictions placed on the transfer of such data, even in the context of a merger/acquisition deal scenario. Specifically, on July 30, 2015 the Bavarian DPA announced that it has fined two companies, both the seller and the acquirer, in an asset deal with a five figure EUR sum for transferring customer e-mail-addresses collected during operating an online shop in violation of the German Federal Data Protection Act. Clients should expect to see more of these actions in the future, given the Bavarian DPA’s announcement that it will pay increased attention to data protection compliance in asset deals and shall accordingly monitor and fine the companies breaching the legal requirements with more persistence.