The Bavarian data protection authority declares that transmissions to the e-mail marketing service are prohibited due to missing ratings and additional measures by the controller
On March 15, 2021, the Bavarian Data Protection Authority (“Bavarian Data Protection Authority”) declared the use of the US email marketing service Mailchimp by a fashion magazine (as a controller) in Bavaria for non-compliance with Schrems II as impermissible mitigation steps in relation to the transmission of Email addresses to Mailchimp in the United States
Mailchimp provided email newsletter services to the controller, who had only used Mailchimp’s email marketing service twice, to send newsletters to customers. Following a complaint alleging that the data controller’s transfer of data to the USA was illegal in view of the Schrems II ruling, the Bavarian data protection authority opened an investigation.
The investigation found that the data controller relied on EU standard contractual clauses (“SCCs”) when transferring e-mail addresses from Germany to the USA in order to use e-mail marketing services for German customers Mailchimp on his behalf. The Bavarian data protection authority was of the opinion that, as an email marketing service, “there are at least indications” that Mailchimp could be considered an “electronic communications service provider” under US surveillance law (ie FISA 702), and therefore “that could be a transmission only be permitted if additional measures are taken if necessary. “In the opinion of the Bavarian data protection authority, the data controller had not assessed the risk and had not taken any additional measures for the transmission of personal data from the EU to Mailchimp in the USA
In its letter to the complainant, the Bavarian data protection authority stated that it had “informed the company that the above-mentioned transfers of personal data to the USA were therefore inadmissible”. However, the Bavarian data protection authority has decided not to impose a fine in this particular case for the following reasons:
- The Data Protection Authority accepted the controller’s argument that the final version of the draft recommendations of the European Data Protection Board on supplementary measures under Schrems II has not yet been published.
- The company’s use of Mailchimp’s services was limited as the service was only used to send newsletters twice. Therefore “only a few cases of inadmissible data were transmitted”. In addition, the types of personal data concerned (I.E-mail addresses are “still relatively manageable in their sensitivity”. Overall, the “present infringement in terms of type and gravity and in particular only minor negligence can still be classified as minor”. and
- The company has worked together and is committed to immediately stop using Mailchimp’s services.
The case was not made public by the Bavarian Data Protection Authority, but the news was published by multiple news sources.