German federal state guide on EU-US Privacy Shield


Following the collapse in 2015 of the Safe Harbor system for permitting transfers of EU personal data to the US, its agreed replacement (the EU-US Privacy Shield) was adopted by the EU Commission in August this year.

In order to transfer EU personal data to the US, recipient US companies must self-certify full compliance with the Privacy Shield requirements. Failure to comply with the Privacy Shield undertakings can lead to investigations and liabilities from the Federal Trade Commission in the US.

However, companies certifying under the Privacy Shield must not only comply with the Privacy Shield requirements and undertakings; they must also comply with the local EU country’s data privacy rules.

Guidance from North Rhine-Westphalia

The Data Protection Authority of the German Federal State of North Rhine-Westphalia (NRW) is one of the first Data Protection Authorities in the EU to publish guidance notes on using the Privacy Shield for German personal data. While strictly speaking only applying to NRW, the guidance may indicate what companies can expect more widely in the EU, in order to stay privacy compliant.

The NRW Data Protection Authority has given the Privacy Shield system one year to address concerns it has raised. At the end of the year it will assess whether or not to permit the system to continue. If it decides against, it could stop data transfers from NRW under the Privacy Shield.

Steps needed under guide

In addition to the US company being certified under Privacy Shield, companies wishing to transfer NRW personal data to the US:
● may need to enter into a data processing agreement with the US recipient that meets local statutory requirements (which in the German case are quite detailed, specific and technical);
● must check that the US recipient is properly Privacy Shield certified, which means assessing whether the certification: (i) exists; (ii) is up to date; and (iii) covers the intended use of the data being transferred;
● may require the US recipient to attest that they are privacy compliant before any transfer takes place.

Employee personal data

Under the Privacy Shield, if the data relates to employees, the use of that data in the US remains subject to EU law and complaints will be heard by the relevant local EU data protection authority.

The EU data controller (usually the local employer) must ensure the US data recipient knows and complies with the EU privacy rules for employees.

The employee’s right to refuse the processing of his/her personal data must be respected and must not harm the employee in any way.