„Egal ob Sie einen externen Datenschutzbeauftragten oder Beratung zu Datenschutz oder mehr IT Sicherheit benötigen. Durch meine langjährige Erfahrung als Datenschutzbeauftragter oder Berater im Betrieb hochsicherer Rechenzentren + IT Infrastrukturen mit den erforderlichen Schutzmaßnahmen auch in hochsensiblen Bereichen, stehe ich Ihnen mit meinem KnowHow und meiner umfassenden Erfahrung in Datenschutz und IT Security zur Verfügung. Dabei liegt mir immer Ihre Zufriedenheit am Herzen. Sprechen Sie mich an – gemeinsam finden wir die ideale Lösung.“
Although the BayLDA has not yet issued an official press release on the case, a published email from the Bavarian Data Protection Authority (BayLDA) indicates that, from their perspective, the use of the very common newsletter tool “Mailchimp” is considered illegal. The listed principles that led to the decision prove an interesting development and show that the supervisory authority is slowly getting serious and banning specific types of data processing.
A company used the services of Mailchimp to send newsletters. Apart from the email addresses of users, no other data was transmitted to Mailchimp. In addition to the basic requirement of consent in the so-called “double opt-in” procedure, the specific requirements of Art. 45 et seqq. of the German Data Protection Act (GDPR) must be observed for the transfer of data to the USA, which is considered a so-called third country (country outside the EU). GDPR must be observed. In the specific case of Mailchimp, the data transfer was based on a guarantee pursuant to Art. 46 of the GDPR, in the form of standard contractual clauses.
Following a user’s complaint, the BayLDA ruled that the use of Mailchimp was unlawful in this case. The mere conclusion of standard contractual clauses was not a sufficient legal basis for the transfer of data to the USA. Further measures should have been examined to ensure the level of data protection.
According to our assessment, the use of Mailchimp by […] in the two cases mentioned – and thus also the transfer of your email address to Maichimp, which is the subject of your complaint – was unlawful under data protection law because […] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, Rt. v. 16. 7.2020, C-311/18) are necessary to make the transfer compliant with data protection, and in the present case there are at least indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).