Privacy and outsourcing structures
Cross-border data flows
Personal data from an outsourcer based in Italy can be transferred to an outsourcee based in a jurisdiction outside the European Union only if there is a sound legal basis for doing so. For Italian outsourcing clients, there are at least two central issues to consider before entering into an offshore outsourcing transaction. These issues are also important to consider in connection with the use of cloud-based services.
Privacy and outsourcing structures
In an outsourcing arrangement, the client (ie, the outsourcer) is the data controller in respect of the data subjects' personal data. However, the status of the service provider (ie, the outsourcee) may vary. Should it be regarded as an independent data controller or is it a data processor that acts on the data controller's behalf? The question should be considered on a case-by-case basis and clearly addressed by the parties in the outsourcing agreement, bearing in mind that the choice will have specific consequences for both client and provider.
Moreover, regardless of how the parties define and regulate their relationship contractually, the Data Protection Authority and the Italian courts will be free to assess the relationship and arrive at a unilateral assessment of the legal grounds which may justify the communication of data from the client to the service provider.
Service provider as external data processor
Clients typically wish to appoint the service provider as a data processor. Pursuant to Section 29 of the Privacy Code, the data processor must have the experience, ability and reliability to ensure full compliance with the provisions on processing personal data, as well as on security matters. Data controllers are not required to obtain prior consent from data subjects before disclosing their personal data to a third party (or else find an alternative legal basis for disclosing such data). However, the code provides that, in principle, an outsourcing client remains liable in the event of a breach of the applicable privacy law by a data processor that acts on the client's behalf - such a client may be liable for negligence either in choosing the supplier or in failing to monitor the supplier properly. Therefore, it is crucial for clients to include an indemnity clause for such a breach of law in the outsourcing agreement.
Section 29 of the code provides that:
- the data controller must specify in writing the tasks to be designated to the data processor; and
- the controller must supervise the processor's work and its compliance with both the controller's instructions and the applicable provisions of privacy law - among other things, this requires the controller to maintain regular monitoring.
Complying with this provision is particularly difficult when the service provider's terms and conditions cannot be negotiated or when the outsourcing agreement does not contain an adequate audit clause.
Service provider as independent data controller
The service provider may not wish to be appointed as an external data processor or to adapt its standard terms and conditions to comply with Section 29 of the code. In such cases the service provider acts as an independent data controller, to which the data subject communicates personal data; therefore, the service provider is required to determine a valid legal basis for such communication. This is a crucial issue, as the code does not consider the "legitimate interest of the data controller" - in the terms of Section 7(f) of the EU Data Protection Directive (95/46/EC) - to be a sound legal basis for processing personal data without the subject's prior and informed consent, unless the Data Protection Authority has issued a specific decision to authorise such processing. The authority has never issued an authorisation in respect of an outsourcing transaction. Therefore, clients should be prepared to provide evidence that:
- the relevant data subjects have provided prior and informed consent to the communication of their personal data to third-party service providers; or
- the communication is necessary for the performance of a contract to which the data subject is party (eg, the agreement with the data subject contains a clause whereby the company reserves the right to entrust third-party service providers with the performance of the agreement).
Regardless of whether the service provider acts as an independent data controller or a data processor, the parties should ensure that transfers of personal data outside the European Union comply with Sections 42 to 45 of the code.
Under Italian law, personal data may be transferred from the Italian territory to countries outside the European Union, temporarily or permanently, in any form and by any means, if:
- the data subject has given his or her consent either expressly or, where the transfer concerns sensitive data, in writing; or
- the transfer is necessary for:
- the performance of obligations arising from a contract to which the data subject is a party;
- the completion of certain steps at the data subject's request before entering into a contract; or
- the performance of a contract made in the interests of the data subject.
The transfer of processed personal data to a non-EU member state is also permitted if it is authorised by the Data Protection Authority on the basis of adequate safeguards for data subjects' rights. This criterion may be determined:
- by the authority, taking account of contractual safeguards or binding corporate rules (ie, rules of conduct in force between companies within the same group); or
- on the basis of the decisions referred to in Articles 25(6) and 26(4) of the directive, whereby the European Commission may find that a non-EU member state affords an adequate level of protection or else that certain contractual clauses afford sufficient safeguards.
In any case, personal data that is the subject of processing may not be transferred to jurisdictions outside the European Union - temporarily or permanently, by any means or in any form - if the laws of the jurisdiction of destination or transit do not ensure adequate protection for individuals' data.
Therefore, it is essential for outsourcing clients to determine the destination of the personal data under the agreement and to identify a legal basis on which the transfer is legitimate.
For further information on this topic please contact Marco Leone at DLA Piper Italy by telephone (+39 02 80 61 81), fax (+39 02 80 61 82 01) or email ([email protected]).