The companies of all size and different fields of activity are asked to indicate which of their services and products require cross-border data transfer. The will also need to highlight the legal ground for their data transfers.

According to Data Protection Report, the German DPAs are surveying data flow practices because the transfer of personal data to non-EU countries has become a common practice for companies, while many of them may not be fully aware of legal implications of cross-border data exports. The aim of the survey is to evaluate if companies comply with European data protection law. 

The EU Data Protection directive offers various options for certifying adequate level of data protection, such as Standard Contractual Clauses and special agreements, particularly the US-EU Privacy Shield deal.

Depending on the audit findings, the DPA’s may carry out further investigations, potentially leading to administrative fines. 

“In Germany the rules on data transfers are stiffer than in other places in Europe, so businesses that have set up data transfer arrangements that may accord with, say, UK law, might not necessarily be compliant with German law,” said data protection expert Kirsten Wolgast to Out-Law, website of law firm Pinsent Masons. “Many businesses, particularly those based outside the EEA, are unaware that differences exist in this respect."