Written by Gonzalo F. Gállego and Belén Gámez
It is well-known that international transfers of personal data from EU data controllers to data processors based in "countries not granting an adequate level of protection" ("Third Countries"), are subject to certain requirements provided for in the laws implementing the Data Protection Directive (95/46/EC) (the "Directive") in each EU Member State. While there are other mechanisms and exceptions, generally speaking, for personal data to be transferred to Third Countries, the EU controller and the processor in the Third Country must enter into a contract using EU-approved Standard Contractual Clauses. See Standard Contractual Clauses for the Transfer of Personal Data to Processors established in Third Countries approved by the EU Commission in its Decision 2010/87/EU (the "EU Standard Contractual Clauses"). In addition, depending on the EU Member State where the exporter is based, the international transfer may be also subject to notification and/or authorization requirements.
While transfers arising under these requirements may sometimes not be easy to implement, they at least are clear and relatively harmonized across the different EU Member States.
Greater challenges arise in scenarios where a data processor in the European Economic Area ("EEA") is providing services to a data controller also in the EEA and the data processor wants to sub-contract part of the services to companies based in Third Countries. These third parties will also be involved in the processing of the data and will be sub-processors. The use by EU processors of sub-processors in Third Countries is becoming increasingly common for many services including Information Technology, Business Process Outsourcing, and call center operations. It is already standard in the Cloud Computing environment.
Under Spanish law, access to personal data by sub-processors in Third Countries implies an international transfer subject to the requirements mentioned above. In Spain, such requirements consist in obtaining an authorization from the Spanish Data Protection Agency ("SDPA").
Until now, data controllers were the only ones entitled to request authorizations from the SDPA. Therefore, when a data processor in Spain wanted to use sub-processors in Third Countries, the data processor needed to ask its customer (i.e. the data controller in Spain) to request an authorization from the SDPA every time a sub-processor was used. Moreover, in order to obtain the mentioned authorization, the data controller was also required to enter into the Standard Contractual Clauses with each sub-processor in a Third Country (the data importer).
This situation caused significant inconveniences for services providers operating in the Spanish market. The advantages inherent to the services they provide (e.g., quality, flexibility, etc.) and the ability to use resources offshore (e.g. less costs, availability, etc.) were offset by the administrative budens in requiring their data controller customers to enter into numerous Standard Contractual Clauses with the service provider’s sub-processors and to obtain authorizations of the SDPA. Fulfilling the data protection requirements was so burdensome that some data controller preferred not to contract for certain services they otherwise would, resulting in inefficiencies and lost commercial opportunities for service providers.
This situation has changed recently in Spain thanks to a new procedure established by the SDPA, which allows data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries.
The key elements of this new procedure are the following ones:
- As with any authorization for international transfers, an agreement based on the Standard Contractual Clauses between the exporter in Spain and the importer in the Third Country is required.
- The SDPA issued its new set of Standard Contractual Clauses Processor–Sub-processor based on the ones of Decision 2010/87/EC (the "New Processor–Sub-processor Clauses for Spain"). For such purposes, the SDPA relied on the second sentence of Recital 23 which provides for that "Member States are free whether to take account of the fact that the principles and safeguards of the standard contractual clauses set out in this Decision have been used to subcontract to a sub-processor established in a third country with the intention of providing adequate protection for the rights of data subjects whose personal data are being transferred for sub-processing operations"
- Such New Processor–Sub-processor Clauses for Spain must be entered into between the data processor in Spain (which in the new clauses is identified as the exporter) and the sub-processors in the Third Countries (which are named as the importers under the new clauses).
- Provided that the importers remain the same and the types of data processed and purposes of the processing do not change substantially (as it is likely to happen with many services), only one contract based on the New Processor–Sub-processor Clauses for Spain may be necessary for all the transfers of data of different customers to be made by the data processor based in Spain.
- With such New Processor–Sub-processor Clauses for Spain in place, the data processor (exporter) requests the authorization of the SDPA. Once granted, this authorization must be updated so that the SDPA is aware of all the data controllers (i.e. the provider’s customers) whose personal data are covered the authorization.
- In addition, the customer (i.e. data controller in Spain) must authorize the services provider in Spain (i.e. data processor & exporter) to carry out the international transfer in a framework contract (the "Framework Contract"). Such Framework Contract must include, among other things, the relevant provisions under Spanish laws for the processing of personal data by data processors in the name and on behalf of the data controller, the services that may be subcontracted, the identification of the third party sub-contractors, and the country where they are located.
- Such Framework Contract may be just an Addendum to any other contract that is already in place between the data contoller and data processor.
- Every new Framework Contract entered into by the data processor (data exporter) and a data controller shall be notified to the SDPA and must "adhere" to the authorization granted by the SDPA to the exporter for the international transfers of data.
- This requirement mentioned earlier to update the SDPA authorization is met when the Framework Contract is notified. Note that we do not anticipate that it will be very burdensome for a data procesor to update the authorization for each agreement with a customer.
- The SDPA has the power to request at any time that the data processor provide a list of the data controllers whose data is being processed pursuant to a Framework Contracts and of the data files that are being processed.
Given the novelty of these clauses, it is foreseeable that in application new issues may arise. In any case, we anticipate that the New Processor–Sub-processor Clauses in Spain will be a significant improvement for service providers wanting to contract with sub-processors.