BayLDA prohibits use of the newsletter tool Mailchimp

Although the BayLDA has not yet issued an official press release on the case, a published email from the Bavarian Data Protection Authority (BayLDA) indicates that, from their perspective, the use of the very common newsletter tool “Mailchimp” is considered illegal. The listed principles that led to the decision prove an interesting development and show that the supervisory authority is slowly getting serious and banning specific types of data processing.

A company used the services of Mailchimp to send newsletters. Apart from the email addresses of users, no other data was transmitted to Mailchimp. In addition to the basic requirement of consent in the so-called “double opt-in” procedure, the specific requirements of Art. 45 et seqq. of the German Data Protection Act (GDPR) must be observed for the transfer of data to the USA, which is considered a so-called third country (country outside the EU). GDPR must be observed. In the specific case of Mailchimp, the data transfer was based on a guarantee pursuant to Art. 46 of the GDPR, in the form of standard contractual clauses.

Following a user’s complaint, the BayLDA ruled that the use of Mailchimp was unlawful in this case. The mere conclusion of standard contractual clauses was not a sufficient legal basis for the transfer of data to the USA. Further measures should have been examined to ensure the level of data protection.

According to our assessment, the use of Mailchimp by […] in the two cases mentioned – and thus also the transfer of your email address to Maichimp, which is the subject of your complaint – was unlawful under data protection law because […] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, Rt. v. 16. 7.2020, C-311/18) are necessary to make the transfer compliant with data protection, and in the present case there are at least indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After the well-known so-called “Schrems II ruling” of the ECJ of July 16, 2020, data transfer to the U.S. is on very shaky ground. The ruling overturned the so-called “Privacy Shield” previously used for data transfers to the U.S. as a legal basis, according to which the transfer of data from the EU to the U.S. could be supported by certified companies. Since the fall of the Privacy Shield, the U.S. has since been considered an “unsafe third country” because there is no adequacy decision under Article 45 GDPR for the transfer of personal data.

In addition to a proper legal basis for the processing of personal data, additional requirements according to Art. 45 et seq. GDPR must be met to justify the transfer to the relevant third country. Although the ECJ’s ruling stated in particular that a data transfer can be based on so-called guarantees pursuant to Art. 46 GDPR such as standard contractual clauses (SCCs), it must then be possible to prove that it has been examined whether an equivalent level of data protection exists and whether further measures must be taken, if necessary.

The European Data Protection Board (EDPB) has published a document on this subject, which is still basically being consulted on, but already serves as a basis for assessment. In this document, typical scenarios (“use cases”) and indications of what such measures might look like are given.

The decision of the BayLDA initially has no general binding effect, because it is only a decision in an individual case and is only binding on the data subject. Nevertheless, the decision has far-reaching relevance because it shows which legal opinion a data protection supervisory authority represents. And this at least suggests that further similar decisions with similar content will follow in the future.

The BayLDA primarily criticized the fact that the tool or the service provider “Mailchimp” was used unchecked.

the transfer of your email address to Maichimp, which is the subject of your complaint – was unlawful under data protection law because […] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, Rt. v. 16. 7.2020, C-311/18) are necessary …

The EU standard contractual clauses alone are not always sufficient. Therefore, one should at least check the following points:

1. What types of personal data are involved and what is the danger or risk to them?
2. What measures does the service provider in the USA take to protect the data? And what other measures may need to be taken?
3. Which providers within the EU could be used as alternatives? And what effort would it take to switch to another provider?

In this case, the authorities only prohibited use for the time being. No fine was imposed. It remains to be seen whether this will also be the case in the future. Companies that currently rely on service providers in the U.S. and base data transfer only on standard contractual clauses should at least carry out the above assessment and risk evaluation and document it well. However, even this assessment does not provide legal certainty.

It should also be mentioned that even service providers based in the EU can become similarly problematic if they use subcontractors (so-called “sub-service providers”) such as data centers in the USA.

You use the newsletter tool Mailchimp and want to be on the safe side? Contact us! Our experts will be happy to help you.

Source: GDPRhub.eu