{"id":5640,"date":"2021-04-15T09:28:46","date_gmt":"2021-04-15T07:28:46","guid":{"rendered":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases"},"modified":"2021-04-15T09:28:48","modified_gmt":"2021-04-15T07:28:48","slug":"data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases","status":"publish","type":"post","link":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/","title":{"rendered":"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases"},"content":{"rendered":"\n<p>Following a complaint filed by a private citizen, the <a href=\"https:\/\/edpb.europa.eu\/news\/national-news\/2021\/bavarian-dpa-baylda-calls-german-company-cease-use-mailchimp-tool_de\" target=\"_blank\" rel=\"noreferrer noopener\">Bavarian Data Protection Authority (BayLDA)<\/a> has ruled that, in that specific case, the use of the US provider Mailchimp was unlawful. The ruling stems from the inciting incident where the person was contacted by a German company who used the cloud service to send out newsletters and evidently stored email addresses. The decision, first <a href=\"https:\/\/www.derstandard.de\/story\/2000125296672\/urteil-in-deutschland-unzulaessige-weitergabe-von-mailadressen-an-mailchimp\" target=\"_blank\" rel=\"noreferrer noopener\">reported<\/a> in the Austrian daily \u201c<em>Standard<\/em>\u201d, may \u00a0have a significant impact on other European companies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-data-protection-supervisors-criticize-the-transmission-of-data-to-non-eu-member-states\">Data protection supervisors criticize the transmission of data to non-EU member states<\/h2>\n\n\n\n<p>In order for the transmission of EU data to the USA to be lawful, the General Data Protection Regulation (GDPR) stipulates that specific requirements need to be observed (<a href=\"https:\/\/gdprhub.eu\/Article_45_GDPR\" target=\"_blank\" rel=\"noreferrer noopener\">Article 45 GDPR\/<\/a> <a href=\"https:\/\/gdprhub.eu\/Article_46_GDPR\" target=\"_blank\" rel=\"noreferrer noopener\">Article 46 GDPR<\/a>). Per the case in question according to the BayLDA, it was the company\u2019s responsibility to check whether the transmission of data to Mailchimp necessitated \u201cadditional measures\u201d to the standard data protection clause in line with the CJEU\u2019s <a href=\"https:\/\/www.retarus.com\/end-of-privacy-shield-7-questions-to-ask-now\/\" target=\"_blank\" rel=\"noreferrer noopener\">Schrems II<\/a> ruling. Simply agreeing to the EU standard contractual clauses does not represent a sufficient legal basis for transmitting data to the USA.<\/p>\n\n\n\n<p>In concrete terms, the <a href=\"https:\/\/edpb.europa.eu\/news\/national-news\/2021\/bavarian-dpa-baylda-calls-german-company-cease-use-mailchimp-tool_de\" target=\"_blank\" rel=\"noreferrer noopener\">authority\u2019s response to the data subject states<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cAccording to our assessment, the use of Mailchimp by &#8230;. in the two cases mentioned &#8211; and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint &#8211; was unlawful under data protection law, because &#8230;.[the company] had not examined whether, in addition to the EU standard data protection clauses (which were used), &#8220;additional measures&#8221; within the meaning of the ECJ decision &#8220;Schrems II&#8221; (ECJ, judgment of 16.7. 2020, C-311\/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. \u00a7 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken.\u201d\u00a0<\/p><\/blockquote>\n\n\n\n<p>By taking this position, the German authority has determined that the transfer of data was unlawful in this case, yet according to the report no other supervisory measures have been imposed at this time.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-using-us-providers-duty-of-care-shifted-to-european-companies\">Using US providers: Duty of care shifted to European companies<\/h2>\n\n\n\n<p>This response shows that with US-based providers, it is the European companies using their services that are increasingly burdened with the responsibility of conducting and documenting data protection assessments. Recent reporting on this topic, in addition to considering the position taken by the authority, often points out that even providers based in the EU may still be considered problematic, as long as they are using secondary service providers in the USA.<\/p>\n\n\n\n<p>Find out more about how Retarus, as a European provider, ensures full GDPR compliance with our <a href=\"https:\/\/www.retarus.com\/services\/transactional-email\/\" target=\"_blank\" rel=\"noreferrer noopener\">Transactional Email service<\/a> run from self-operated local data centers, in our blog post \u201c<a href=\"https:\/\/www.retarus.com\/blog\/en\/the-cjeu-overturns-privacy-shield-so-what-now\/\" target=\"_blank\" rel=\"noreferrer noopener\">The CJEU overturns \u201cPrivacy Shield\u201d. So what now?\u201c<\/a>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>European companies using US-based services are increasingly burdened with the responsibility of conducting and documenting data protection assessments. <\/p>\n","protected":false},"author":12,"featured_media":5642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_s2mail":"","footnotes":""},"categories":[8],"tags":[477,2982],"dipi_cpt_category":[],"class_list":["post-5640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-gdpr","tag-transactional-email"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.7 (Yoast SEO v24.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Data protection authority in Germany declares use of Mailchimp unlawful in certain cases - Retarus Corporate Blog - EN<\/title>\n<meta name=\"description\" content=\"European companies using US-based services are increasingly burdened with the responsibility of conducting and documenting data protection assessments.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases\" \/>\n<meta property=\"og:description\" content=\"Responsibility to check whether data transmission to US necessitated \u201cadditional measures\u201d\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/\" \/>\n<meta property=\"og:site_name\" content=\"Retarus Corporate Blog - EN\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-15T07:28:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-15T07:28:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"562\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"S\u00f6ren Schulte\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:description\" content=\"Responsibility to check whether the transmission of data to the US necessitated \u201cadditional measures\u201d to standard data protection clause\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"S\u00f6ren Schulte\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/\",\"name\":\"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases - Retarus Corporate Blog - EN\",\"isPartOf\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png\",\"datePublished\":\"2021-04-15T07:28:46+00:00\",\"dateModified\":\"2021-04-15T07:28:48+00:00\",\"author\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/da5eb37e5936738ea4e12be8b429433d\"},\"description\":\"European companies using US-based services are increasingly burdened with the responsibility of conducting and documenting data protection assessments.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png\",\"contentUrl\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png\",\"width\":1000,\"height\":562},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.retarus.com\/blog\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#website\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/\",\"name\":\"Retarus Corporate Blog - EN\",\"description\":\"Always up to date\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.retarus.com\/blog\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/da5eb37e5936738ea4e12be8b429433d\",\"name\":\"S\u00f6ren Schulte\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/author\/sschulte\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases - Retarus Corporate Blog - EN","description":"European companies using US-based services are increasingly burdened with the responsibility of conducting and documenting data protection assessments.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/","og_locale":"en_US","og_type":"article","og_title":"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases","og_description":"Responsibility to check whether data transmission to US necessitated \u201cadditional measures\u201d","og_url":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/","og_site_name":"Retarus Corporate Blog - EN","article_published_time":"2021-04-15T07:28:46+00:00","article_modified_time":"2021-04-15T07:28:48+00:00","og_image":[{"width":1000,"height":562,"url":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png","type":"image\/png"}],"author":"S\u00f6ren Schulte","twitter_card":"summary_large_image","twitter_description":"Responsibility to check whether the transmission of data to the US necessitated \u201cadditional measures\u201d to standard data protection clause","twitter_misc":{"Written by":"S\u00f6ren Schulte","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/","url":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/","name":"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases - Retarus Corporate Blog - EN","isPartOf":{"@id":"https:\/\/www.retarus.com\/blog\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage"},"image":{"@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage"},"thumbnailUrl":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png","datePublished":"2021-04-15T07:28:46+00:00","dateModified":"2021-04-15T07:28:48+00:00","author":{"@id":"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/da5eb37e5936738ea4e12be8b429433d"},"description":"European companies using US-based services are increasingly burdened with the responsibility of conducting and documenting data protection assessments.","breadcrumb":{"@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#primaryimage","url":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png","contentUrl":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2021\/04\/retarus_privacyshield-e1618471537411.png","width":1000,"height":562},{"@type":"BreadcrumbList","@id":"https:\/\/www.retarus.com\/blog\/en\/data-protection-authority-in-germany-declares-use-of-mailchimp-unlawful-in-certain-cases\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.retarus.com\/blog\/en\/"},{"@type":"ListItem","position":2,"name":"Data protection authority in Germany declares use of Mailchimp unlawful in certain cases"}]},{"@type":"WebSite","@id":"https:\/\/www.retarus.com\/blog\/en\/#website","url":"https:\/\/www.retarus.com\/blog\/en\/","name":"Retarus Corporate Blog - EN","description":"Always up to date","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.retarus.com\/blog\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/da5eb37e5936738ea4e12be8b429433d","name":"S\u00f6ren Schulte","url":"https:\/\/www.retarus.com\/blog\/en\/author\/sschulte\/"}]}},"_links":{"self":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/5640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=5640"}],"version-history":[{"count":2,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/5640\/revisions"}],"predecessor-version":[{"id":5643,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/5640\/revisions\/5643"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/media\/5642"}],"wp:attachment":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=5640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=5640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=5640"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/dipi_cpt_category?post=5640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}