Tenaya Rodewald & Liisa Thomas of SheppardMullin write:
In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German entity of US-based MailChimp (which use involved transferring personal information to the US) violated GDPR. As we previously wrote, the Schrems II decision turned on concerns around lack of sufficient safeguards under US law. The court cautioned, and the EDPB has since clarified further, that for standard contractual clauses to be used companies must determine whether the information will have the same level of protection under the laws of the receiving country. If not, additional “supplementary measures” must be implemented.
Read more on Eye on Privacy.