The Spanish Data Protection Authority (SPDA) has recently produced a pioneering model in Europe for clauses (Model Clauses) aiming to facilitate Spanish companies’ compliance with the special requirements for transferring personal data outside the European Economic Area (EEA). More specifically, the Model Clauses are prepared for the sole use of service providers which subcontract companies located in countries outside the EEA, such as subcontracting a call center's services to companies in Latin America (mainly Colombia, Mexico and Peru) or technology-related services to companies in India.
Existing Model Clauses
So far, the existence of model clauses only for data controllers (meaning client-companies that engage services providers) involved the client-companies (and not their services providers) assuming compliance with the special requirements on transferring personal data to the subcontracting companies located outside the EEA that are engaged by service providers. They therefore had to take over the approval process before the SPDA to obtain the authorization for transferring personal data to the aforementioned subcontracting companies.
Actions to consider
From now on, with the new Model Clauses, service providers, such as data processors of files belonging to their company-clients, can – as has already occurred – initiate the approval process before the SPDA to request the authorization to transfer personal data of their company-client's files to their subcontracting companies located outside the EEA. The granted authorization will cover in bulk all transfers of personal data in files of the company-clients that contract the services, but it will also provide an additional guarantee of compliance with the data protection law that will facilitate the promotion and marketing of the services offered by providers that subcontract companies located outside the EEA.