On March 15, a ruling by the Data Protection Authority of Bavaria (BayLDA) concluded that the use of the email marketing tool Mailchimp by a German company was unlawful, acording the GDPR, without the consent of those involved. The complaint of a subscriber of the German FOGS Magazin newsletter against the forwarding of the email addresses to Mailchimp (US), was the trigger for the investigation.
The Privacy Shield, the framework for data transfer between the European Union and the United States, was revoked in July 2020. This is the first sentence, since then, in which it is ruled that the use, by a European company, of an American tool to send newsletters to your European contacts is a violation of article 44 of the GDPR.
As a result of the ruling, the company, German FOGS Magazin, immediately stopped working with Mailchimp.
Main points to highlight the verdict
- The ruling dictates that Mailchimp, as the recipient of the email addresses of newsletter subscribers, could qualify as an “electronic communication service provider” under US surveillance law. And, therefore, intelligence agencies could have access to contacts information.
- The company relied on the SCC (Standard Contractual Clauses) to transfer data outside the EU, but these standard clauses are insufficient for the adequate protection of contact information.
What steps can we take?
- When you work with a US company with which data is shared, and it is not certified for the GDPR, additional measures are needed to its standard contracts to comply with the regulations. US intelligence agencies have access to data stored in the cloud, so these extra safeguards are essential.
- Many companies are waiting for the recommendations of the EDPB (European Data Protection Board) on this issue and for the talks between the EU and the United States to reach an agreement that replaces the already revoked Privacy Shield. But if an agreement were reached, how long would it be in effect? Because the main obstacle, the access of the American secret services to the stored data, will continue there.
You can read what the German regulator explained on a publication of the European Data Protection Board.
In conclusion, as a European ESP, we would recommend going for sure. The time has come, if you use an American email marketing provider like Mailchimp, SendGrid, or any other, to look at European alternatives with their servers in Europe.
Tripolis stores the data in the Netherlands, and we are also ISO 27001 certified. Do you have specific questions about storing your data in Europe and / or (email) marketing automation? Feel free to contact us without obligation.
Do you have any question?
Fill in your message and we will contact you as soon as possible.