[...] – Complaint Upheld (Germany, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German company used Mailchimp to send newsletters, transferring email addresses to the US. The Bavarian DPA found this unlawful because the company didn't check if extra protections were in place against US surveillance. The company stopped using Mailchimp, so no fine was imposed, but it highlights the need for careful data transfer assessments.
What happened
A German company transferred email addresses to Mailchimp in the US without ensuring protection against US surveillance.
Who was affected
Subscribers to the company's newsletter whose email addresses were sent to Mailchimp in the US.
What the authority found
The Bavarian DPA decided the company failed to ensure adequate protection for email addresses transferred to the US, referencing the Schrems II decision.
Why this matters
This case emphasizes the importance of assessing data transfers to the US, especially after the Schrems II ruling. Companies should ensure they have additional safeguards when using US-based services.
GDPR Articles Cited
The complainant lodged a complaint with the Bavarian DPA (BayLDA) regarding the use of the newsletter tool Mailchimp by the respondent, a German company. He argued that the transfer of email addresses of subscribers of the respondent's newsletter to the provider of Mailchimp (The Rocket Science Group LLC, an US based company) was unlawful under Article 44 et seqq. GPPR. The respondent argues that the use of MailChimp was only occasional and it stopped using it. The BayLDA held that the use of Mailchimp by the respondent and thus the transfer of the email addresses to the provider of Mailchimp was unlawful: *The data transfer was based on EU standard data protection clauses (Standard Contractual Clauses - SCCs). *According to the BayLDA, there were indications that the provider of Mailchimp qualifies as "electronic communication service provider" under US surveilliance law (FISA702 (50 U.S.C. § 1881)). Therefore, the transferred email addresses could be in danger of being accessed by US intelligence services. *In the light of the CJREU decision "Schrems II" (C-311/18) the respondent had failed to assess if there were additional measures in place to ensure that the transferred data was protected from US surveillance. As the respondent declared to refrain from using Mailchimp with immediate effect, the BayLDA did not impose a fine.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for [...] in DE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. [...] - Germany (2021). Retrieved from cookiefines.eu
Last updated: