The Hessen data protection authority ('HBDI') released, on 22 June 2021, a statement addressing the obligations for companies to guarantee the protection of fundamental rights when transferring data to third countries, following the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment'). In particular, the HBDI highlighted that, as a first step, companies and public bodies in Hesse should consider that transfers of personal data to third countries, such as the US, are not permitted without additional protective measures.

Furthermore, the HBDI outlined that it expects data processing companies in Hesse to check whether their IT systems transfer personal data to third countries in which there is an insufficient level of data protection, and if so, demonstrate that they have carried out the necessary tests and initiated the first steps towards ensuring that the data processing methods used meet the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the HBDI noted that companies should immediately implement, where possible, functionally equivalent alternatives that ensure an essentially equivalent level of protection with those guaranteed in the EU. However, the HBDI stated that where there is a need to implement more complex procedures, companies should develop an appropriate roadmap for implementation, which the HBDI can provide advice on.

Hessian Commissioner for Data Protection and Freedom of Information, Professor Dr. Alexander Roßnagel, ''The supervisory authority assumes that the data processing agencies in Hesse will comply with their legal obligations and advocate that their IT systems are used in accordance with fundamental rights. It will take this into account when data processing, for which there are no options for an alternative design, is indispensable for the fulfillment of corporate functions or the fulfillment of state tasks. But in connection with video conference systems, there are already data protection compliant solutions that can be switched to."

You can read the press release, only available in German, here.