Transfers under SCCs to US processor found unlawful

The Data Protection Authority for Bavaria found that transfers of personal data to the email marketing service Mailchimp in the US were unlawful.

A German business made two transfers of personal data to Mailchimp under the current EU Standard Contractual Clauses (SCCs). While the use of SCCs was proper, after the Schrems II case, the controller should have assessed if supplemental measures to ensure that the transferred personal data maintained essentially equivalent protection to that in the EEA (see link). The Bavarian DPA found that Mailchimp might be an "electronic communication service provider" under the US Foreign Intelligence Surveillance Act, and thus Mailchimp might be required to disclose personal data if requested by the US government. Given this potential, supplemental measures should have been taken.

Photo by Rajesh S Balouria from Pexels