On 5 February the European Commission adopted a Decision to update the “Controller to Processor” standard contractual clauses (these are the clauses that had been approved by Commission Decision 2002/16/EC).
The Decision contains specific provisions which allow, under certain conditions, the outsourcing of processing activities to sub-processors, while at the same time ensuring a constant protection of personal data.
Under the newly adopted Decision, where a data processor intends to sub-contract any of its processing operations performed on behalf of an EU data controller, it must meet a number of conditions, including:
- the data processor must first obtain the prior written consent of the data controller;
- the written contract must impose the same obligations on the sub-processor as those imposed on the data processor by the data controller under the existing standard contractual clauses;
- where the sub-processor fails to fulfill its data protection obligations, the data processor shall remain fully liable to the data controller;
- the sub-processing may only consist of the processing operations agreed in the initial contract entered into by the data controller and the data processor; and
- the data processor must agree and warrant that it has obtained the prior written consent od the data controller prior to entering into the contract with a sub-processor, that the processing services will be carried out in accordance with the updated model clauses and that it will send a copy of any sub-processor agreement to the data controller.
Data controllers and processors who are operating under the 2002 version of the “Controller to Processor” standard contractual clauses but who wish to make provision for the appointment of sub-processors will be required to enter into a new contract which complies with the updated version of the contractual clauses. The new clauses must also be used for new or changed transfers to data processors after 15 May 2010. The data controller is obliged to keep a list of sub-processing agreements notified to it by data processors, which must be updated annually
The updated version of the standard contractual clauses take into account new business models and the growing trends to global processing and outsourcing, and takes into account recommendations included in the “Report on the Implementation of the Commission Decisions on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries” (SEC(2006)95).