Last month the Bavarian supervisory authority (“BayLDA”) ruled that the use of Mailchimp for sending e-mail newsletters by a German publisher is in breach of the AVG. The supervisory authority had initiated the investigation into the use of Mailchimp following a complaint from a recipient of the email newsletter.
For the email newsletters, the German publisher had provided email addresses to Mailchimp. The transfer of these personal data to the US-based company was based on the so-called EU Standard Contractual Clauses (“SCCs”). However, the BayLDA ruled that the publisher had failed to investigate whether additional measures/ safeguards were necessary to guarantee the privacy rights of European data subjects. Such additional investigation, and perhaps the additional measures, were necessary in order to make the transfer in compliant with the European Court’s ruling in the Schrems II case. After all, there are indications that the US intelligence services could request access to the personal data processed by Mailchimp.
As a result of the investigation, the publisher decided to cease using Mailchimp. The BayLDA has not imposed a fine.
The ruling shows that the consequences of the Schrems II ruling are significant. The use of services from American suppliers is unavoidable for most European organisations. Additional research into the risks of processing personal data and the additional guarantees/measures are always necessary. The guidelines of the European Data Protection Board (“EDPB”) can be used for this purpose. Although these guidelines are not yet definitive and do not provide a one-size-fits-all answer, they do offer some guidance for the time being.