The ICO and the German federal data protection supervisory authority have signed an agreement to deepen the cooperation in investigations and provide for more sharing of information between the authorities. We provide an overview of what this may mean for companies operating in the UK and Germany!
Content of the Memorandum of Understanding
On 10 June 2024, the Information Commissioner for The United Kingdom of Great Britain & Northern Ireland (ICO) and the Federal Commissioner for Data Protection and Freedom of Information for Germany (BfDI) signed a Memorandum of Understanding (MoU). The most important aspects are:
- Deeping of the authorities’ existing relations and the promotion of exchanges to assist each other in the application of laws protecting personal data;
- Principles of collaboration between the authorities; and
- The legal framework governing the sharing of relevant information and intelligence between the authorities.
The latter aspect in particular may have a direct impact on companies in the UK or Germany.
Sharing of data between the UK and Germany
The MoU does not mean the ICO and the BfDI can share personal data between the authorities as they wish, they are still restricted by data protection laws.
However, in so far as data protection law allows, the MoU provides the authorities will exchange information involving potential or on-going investigations of organisations in the respective jurisdictions in relation to contraventions of personal data protection legislation.
They will also pursue joint investigations into cross border personal data incidents involving organisations in both jurisdictions without sharing of personal data. This means that if a company reports a breach in the UK or Germany affecting personal data from the other jurisdiction, the respective authority may involve the other in its investigations. Company data, such as the name of a reporting company and the details of an incident, does not after all fall under data protection law unless it includes personal data, and may be shared freely.
Implications of the data sharing for companies in the UK and Germany
Companies operating in both jurisdictions or based in the UK or Germany but processing personal data from the other jurisdiction will be affected. For example if a UK company has a subsidiary based in Germany or a German company sells goods in the UK.
Should these companies come under investigation by the UK or German authorities and there is reason to believe the breach or incident under investigation has a cross-border effect, investigation data might be shared between the ICO and the BfDI. This will aid investigations, prosecution and enforcement.
Advice for UK and German companies
When dealing with incidents or setting up new processing activities, companies are thus well advised to keep an eye on whether there is any cross-border data flow or effect, and whether they will be exposed to parallel or joint investigations by both the ICO and BfDI. If you are unsure whether there is a cross-border data transfer, it is best to consult a data protection expert.
Companies falling under the requirements of Art. 3 (2) GDPR, namely based in the UK, but offering goods or services in Germany (or other EU countries) yet failing to comply with the requirement to appoint an EU-representative in terms of Art. 27 GDPR may also be more likely to be exposed for non-compliance through the sharing of data between the authorities. If you are unsure whether you require an EU-representative we would be glad to assist.