Privacy & Cybersecurity Law Blog

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

Mailchimp provided e-mail newsletter services to the controller, which had used Mailchimp’s e-mail marketing service only twice, to send newsletters to customers. Following a complaint alleging that the controller’s data transfers to the U.S. were illegal in light of the Schrems II judgement, the Bavarian DPA launched an inquiry.

During the inquiry, it was established that the controller relied on EU Standard Contractual Clauses (“SCCs”) for the transfer of e-mail addresses from Germany to the U.S., in order to make use of e-mail marketing services directed to German customers by Mailchimp on its behalf. The Bavarian DPA took the position that as an e-mail marketing service, “there are at least indications” that Mailchimp could qualify as an “electronic communication service provider” under U.S. surveillance law (i.e., FISA 702) and, therefore, “the transfer could only be permissible by taking supplementary measures, if suitable.” In the Bavarian DPA’s view, the controller had failed to assess the risk and implement supplementary measures for the transfer of EU personal data to Mailchimp in the U.S.

In its letter to the complainant, the Bavarian DPA states that it has “informed the company that the above-mentioned transfers of personal data to the U.S. were therefore impermissible.” However, the Bavarian DPA decided not to impose a fine in this particular case for the following reasons:

• The DPA accepted the controller’s argument that the final version of the draft European Data Protection Board’s recommendations on supplementary measures post Schrems II has not yet been issued;
• The use of Mailchimp’s services by the company was limited, since the service was only used to send newsletters twice. Therefore, “only a few cases of inadmissible data were transmitted.”  In addition, the types of personal data involved (i.e., e-mail addresses) are “still relatively manageable in sensitivity.” Taken together, the “present infringement is still to be classified as minor with regard to its nature and gravity, and in particular only a slight degree of negligence;” and
• The company cooperated and committed that it will immediately stop using Mailchimp’s services.

Read the EDPB’s news story about the case here.