Art. 16a sec. 3 GG). Overall, the legislature must ensure that the transfer of data collected by German authorities and transferred to third countries or international organisations does not undermine the protection of the European Convention on Human
Rights and the other international human rights conventions (cf. Art. 1 sec. 2 GG).
(2) Whether the required protection level is guaranteed in the receiving state need
not be examined separately for each individual case and secured through individually
assured commitments that are binding under international law. In this respect, the
legislature may instead also rely on a generalising factual assessment rendered by
the Federal Criminal Police Office regarding the legal and factual situation in the receiving states. This assessment may claim validity as long as it is not opposed by
facts to the contrary in special circumstances (cf. BVerfG, Order of the Second Senate of 15 December 2015 – 2 BvR 2735/14 – para. 69, with further references).
337
If decisions with a view to a receiving state cannot be based on such assessments,
it is necessary to conduct a facts-based case-by-case assessment that determines
whether it is at least guaranteed that essential requirements for the handling of data
are sufficiently met (see above, D IV 1 b bb (1)). If necessary, binding individual guarantees can and must be provided. As a rule, a binding assurance is a suitable means
for removing concerns with regard to the permissibility of the transfer of data, so long
as it is not to be expected that the assurance will not be adhered to in the individual
case (cf. BVerfGE 63, 215 <224>; 109, 38 <62>; BVerfG, Order of the Second Senate of 15 December 2015 – 2 BvR 2735/14 – para. 70). However, as far as the individually applicable requirements are concerned, the legislature may also choose to
determine these on the basis of an appraisal of the individual case.
338
Ascertaining that the required degree of protection is met – be it generalised, be it in
the individual case – is not a decision at the German authorities’ free political disposal. In fact, the decision must be based on substantial and realistic information and
must be updated regularly. Its reasons must be documented in a comprehensible
manner. Further requirements are that the Federal Data Protection Commissioner
has the opportunity to review the decision and that it may be subjected to judicial review (cf. also ECJ, Judgment of 6 October 2015 – C-362/14 –, Schrems/Digital Rights
Ireland, NJW 2015, p. 3151 <3156>, paras. 78, 81, 89).
339
cc) Even so, requirements of effective supervisory control including the suitable documentation of the respective transfer activities as well as the requirement of reporting
duties apply in Germany (see above, C IV 6 d, e).
340
dd) The standards developed above must be statutorily enshrined in a manner that
satisfies the principle of specificity and legal clarity. This also includes the fact that the
legal bases which, insofar as permissible, are meant to authorise a transfer of data for
the purpose of receiving information through a matching of data collected by authorities in third countries as well as a return of supplementary information are as such designed with legal clarity.
341
60/71