Get this marketer a shield – Part 2: Using Mailchimp is a violation of GDPR
Back in August the EJC (The European Court of Justice) ruled the US-EU Privacy Shield is no longer valid, as it does not offer sufficient protection for EU citizens and their data.
Now a court in Germany has ruled that a that an organisation should not use Mailchimp to send out their e-mail communications, because it unlawfully transmits e-mail addresses outside the EU.
Not even the Standard Contractual Clauses helped this time; SCC was the piece of legislation that users where clinging to in the hope that they could still use US providers, like Mailchimp, even through the Privacy Shield was rendered invalid.
Interestingly the decision of the German regulator has not been published, but announced by NOYB itself. In a publication of from the EDPB (umbrella of European privacy regulators), the German regulator does explain what happened.
NOYB’s complaint centred around an organisation that is the controller for the use of the Mailchimp e-mail tool. After receiving the complaint, the supervisory authority asked the controller for clarification and explained the consequences of the Schrems II ruling. The organisation then announced that it had stopped using Mailchimp immediately.
The organisation is one of the now well-known privacy activist Max Schrems, who is also responsible for the Schrems I and Schrems II rulings of the European Court of Justice (CJEU).
In these cases, data traffic to the US was declared illegal on the basis of the Safe Harbor and Privacy Shield regulations respectively. Far-reaching preconditions were imposed on transfers based on Standard Contractual Clauses (SCC).
The ruling of the Bavarian regulator gives us an interesting look at how these rulings are applied in practice to ban the use of marketing tools and cloud solutions from outside the EU. In the Explained: Sharing data outside the EU you can read more about the exact consequences of the Schrems II ruling.
The organisation addressed defended itself by explaining that it had only shared email addresses with Mailchimp for sending email. It also indicated that it had not applied the EDPB’s recommendations for additional safeguards on top of SCCs (needed in countries where the level of protection is too low) because that recommendation is not yet final. It would like to wait for the final version.
The regulator did not agree with this. It indicated that there was a transfer of personal data outside the EU. Because this was done on the basis of the model contracts (SCCs), the organisation should have assessed whether additional guarantees were needed. Since in this case it involved data transfers to the US, which intelligence agencies are known to have access to data from cloud parties, additional safeguards were needed to ensure lawful transfers. According to the regulator, this means that only one conclusion is possible: the transfer of data could only be lawful if the responsible organisation had ensured that the problem (access by intelligence services) was resolved with additional safeguards.
Now while companies across Europe keep an eye on the recommendations the EDPB is coming up with, we are also looking at the negotiations between the European Commission and the US government with an renewed vigour. There is talk of a successor to the Privacy Shield. If that succeeds, we will be back to the old situation. From a GDPR perspective, transfer is again possible to certified American organisations. The question then is how long that agreement will last. After all, this does not solve the underlying problem of access by intelligence services.
Main body of this blog taken from: https://marketingfacts.nl/berichten/gebruik-mailchimp-is-overtreding-van-de-avg