* Top EU court struck down U.S.-EU data transfer pact last year
* Companies have had to set up alternative legal systems
* German regulator fines three companies for failing to do so
BRUSSELS, June 6 (Reuters) - A German regulator has fined three unnamed companies for still relying on a Safe Harbour agreement to electronically transfer personal data to the United States despite the deal being declared invalid by the EU's highest court last year on concerns about U.S. mass surveillance activities.
Companies that need to transfer personal data to the United States - be it for completing credit card transactions, hotel bookings or moving employee data - have been operating in a legal limbo since the Court of Justice of the European Union (ECJ) struck down the Safe Harbour pact last October, depriving them of the easiest channel for data transfers available under the EU's strict data protection laws.
For 15 years the Safe Harbour agreement had allowed companies to store data about European Union citizens on U.S. servers by stating that they complied with EU data protection standards.
The Hamburg Data Commissioner, which has responsibility for supervising companies such as Facebook and Alphabet Inc's Google because they have their German headquarters there, said on Monday it had fined three companies for still relying on Safe Harbour for U.S. data transfers.
It did not name the companies, but said they had put in place alternative legal mechanisms for transferring data to the United States following the fine.
"The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favourable way for the calculation of the fines," said Johannes Caspar, the Hamburg Commissioner for Data Protection.
"For future infringements, stricter measures have to be applied."
The EU's 28 data protection authorities gave companies a three-month grace period to bring their U.S. data transfers in line with EU law after the ruling.
Hamburg's action is the most high-profile example of a regulator cracking down on companies for not changing the way they move data to the United States.
The Hamburg regulator said it had conducted inspections on 35 "internationally active Hamburg-based companies" and most of them had set up alternative legal arrangements to shift data to the United States, such as "standard contractual clauses".
But some companies had failed to set up such contracts - standard templates drawn up by the EU executive to allow cross-border data transfers to be made under EU privacy laws - even six months after the ECJ ruling.
"The data transfer of these companies to the USA was thus without any legal basis and unlawful," the regulator said in a statement.
However, Caspar said standard contractual clauses would also have to be scrutinised to decide if they give sufficient protection to Europeans' data, leaving open the possibility that regulators will restrict their use too. (Reporting by Julia Fioretti; Editing by Greg Mahlich)