Companies that outsource data processing activities abroad should already be aware of the special rules restricting the transfer of personal data outside the EEA; they need to ensure that the foreign jurisdiction offers an equal level of protection in respect of the personal data as applies within the EEA. One of the ways to ensure this is to make use of the model contractual clauses for the transfer of personal data outside the EEA published by the European Commission.
The Commission has recently produced New Model Clauses that refl ect the European Commission’s recognition of “the growing trends to global processing and outsourcing” by allowing for onward transfers from non-EEA processors to non-EEA sub-processors. They do not, unfortunately, yet cover transfers from EEA-based processors to non-EEA based sub-processors. In a new set of FAQs1, adopted on 12 July 2010, the specialist European Data Protection advisory body, or Article 29 Working Party, has suggested the following ‘work-arounds’ to deal with this:
- A direct contract, based on the adopted New Model Clauses, between the EEA-based controller and the non-EEA-based processor, with the non-EEA-based processor signing the New Model Clauses as data importer, and not as sub-processor
- A service provider agreement which includes a clear mandate to the EEA-based processor to sign the New Model Clauses with the non-EEA-based sub-processor, in the name and on behalf of the EEA-based controller. The controller remains the data exporter, and the sub-processor is the data importer
- An “ad-hoc contract” containing the principles and safeguards included in the New Model Clauses. The EEA-based controller and the non-EEA-based sub-processor should be bound by the same duties and rules of liability as in New Model Clauses. The contract should allow EEA-based processors to apply their own applicable law to technical and security measures (and duties towards the data subject) and the non-EEA-based sub-processor to respect the data controller’s national law
Each of these suggestions is sensible and represents nothing more than what UK companies have been doing for many years when acting practically to self-assess the adequacy of their data processing activities (the usual route taken by UK companies exporting data abroad), rather than relying slavishly on the model clauses.