There have been a lot of talks about the new EU Data Protection Regulation, but there remains one issue that has not yet been addressed by many commentators. According to the new Regulation, it will be possible to appoint sub-processors, provided that: (i) the data controller grants its written consent (which can be general or specifically addressed to one or more sub-processors), and (ii) the processor imposes to the sub-processors the same data processing obligations that have been undertaken by the processor towards the data controller.
The Regulation also clarifies that the processor will remain responsible towards the data controller for any breach by the sub-processors. This implies that the processor that resorts to sub-processors should opt for a “privacy by design” approach, setting up, prior to any processing, an adequate organizational structure that would allow compliance with the Regulation provisions. Furthermore, mutatis mutandis, all general obligations of the data processor towards the data controller provided by the Regulation (e.g. compliance with instructions, security measures, privacy impact assessments, information and consultations, etc.) shall be extended to the sub-processor towards the processor.
It should also be noted that under the current draft of the Regulation, among other things, it is also allowed for the local Data Protection Authorities to draft standard clauses for sub-processors appointments. According to some commentators, this provision may add uncertainty in an area where homogeneity should be pursued.
The appointment of sub-processors is not a novelty for certain European jurisdictions, and indeed the European Commission already provided standard model clauses for sub-processing. This is however an important (and very welcomed) news for Italy, where it is currently not permitted for processors to appoint sub-processors, with an obligation for the controller (i.e. the outsourcing customer) to directly appoint each “sub-processor”, even when such sub-processor is in fact selected by (and mainly managed under the responsibility of) the processor. This approach was taken by the Italian Data Protection Authority in light of the fact that the Italian Data Protection Code (D. Lgs. n. 196/2003) does not specifically allow sub-processing appointments.
Most of the provisions relating to the relationship between processors and sub-processors have been added in the last version of the Regulation provided by the European Council (the prior versions of the European Commission and Parliament were more concise on this topic, only setting up general principles). Albeit this should not be a controversial issue, it cannot be excluded that the provisions on sub-processing will be subject to amendments
The Regulation may be finally approved within 2015, and in such case it should enter into force within 2017. With the Regulation, the drafting of outsourcing agreements involving a large number of sub-processors (often located in different jurisdictions) will no doubt be streamlined. In the meantime, all parties of outsourcing arrangements will have to carefully consider any sub-processing (even when it is formally carried out through a direct appointment by the data controller), including provisions on monitoring and security measures that should take into account the actual role played by each party involved.