Being able to transfer personal data in third countries has become of fundamental importance for companies, given the transversal internationalization of most of the commercial enterprises.
If, on the one hand, Art. 43 of Legislative Decree 196/03 allows data transfer outside national borders with previous express consent by the subject concerned, on the other hand it is quite difficult to assume that a multinational enterprise with thousands of employees is able to acquire everyone’s consent.
Moreover, data is frequently not treated directly by the company itself but, especially with regard to human resources, processed in outsourcing. In such case, what are the controller’s fulfillments when a processor in outsourcing also entrusts such process to a delegate in a third country?
The company can go through the following steps:
Presence of an adequacy decision by the European Commission
Use of standard contractual clauses predisposed by a decision of the European Commission
Adoption of Binding Corporate Rules
Adoption of Binding Corporate Rules for the Processor
Currently, the European Commission’s adequacy decisions only involve 13 States: the protection assured with regards to data treatment in such countries is considered to be satisfactory and it is therefore possible to transfer personal data. Lastly, the issue of data transferred to the USA was solved last 12th July with the adoption of the Privacy Shield by the European Commission, already discussed in a previous article of the blog.
The standard contractual clauses are predisposed by the European Commission and, once inserted in the text of a commercial contract, consent data transfer to third countries. These provide for specific technical and organizational safety measures that need to be strictly applied by the delegate of the treatment based in a third country that does not guarantee an adequate level of protection.
The European Commission, with a decision dated 5 December 2010, has decided for the standard clauses’ application in case the controller, resident in Europe, delegates the treatment to a European company which, in turn, subcontracts to a business enterprise based in a third country.
The decision has confirmed that for the processor of data treatment residing in the European Union, it will be sufficient to follow the standard contractual clauses in order to provide adequate guarantees for the transfer to a third country delegate. The contract needs to be subject to the legislation of the member’s residence country in order to guarantee any eventual actions of the interested party on personal data protection.
It goes beyond doubt that the data protection authorities of each Member State need to continue executing their main guarantee role by supervising that personal data is adequately controlled after transfer outside the European Union borders.
The Italian data protection authority has transposed the European Commission’s decision (Gazzetta Ufficiale n.141 of 19th June 2010) and, afterwards, with the measure of 15th November 2012 has given further clarifications on the issue. In particular, it has provided the controller to confer upon the processor residing in the European Union a specific mandate, in accordance with art. 1704 of the Italian Civil Code, for the subscription of specific contractual clauses given by the European Commission; however, the Italian data protection authority has left a choice to the controllers who do not intend exercising the mandate to request the same data protection authority a specific authorization according to art.44, 1st comma of Legislative Decree 196/03.
In its last annual report, the Italian data protection authority has given particular attention to data transfer to third countries. This has underlined the increased use of Binding Corporate Rules (hereinafter BCR), that are being discovered as the most privileged way of transferring data to third countries among groups of enterprises.
Accordingly, the BCR for Processors represent a valid option: these permit transfer, within the same group company, of personal data on which a processor operates for the controllers residing in a European Member State. In such way, the controllers have a guarantee deriving from the presence of BCR for Processors, which prove transfer’s lawfulness carried out by the processor enterprises in outsourcing. For more information on BCR please consult our previous article.
In the light of such drastic increase of personal data transfer to third countries, the Italian data protection authority has focused its inspections on subjects that carry out data transfer abroad, “in order to verify the treatment typos, the security measures adopted, together with the legal conditions, the scope and the modality of personal data transfer in non-EU countries”1.
The new European Regulation on the protection of natural persons with regard to the processing of personal data has provided for a general prohibition, except in the presence of an adequacy decision of the European Commission2. Moreover, the Commission has an obligation to evaluate overall third countries’ legislation with regard to privacy of personal data.
In case of absence of an adequacy decision by the Commission, the controller must compensate such deficiency with adequate guarantees to the interested subject. Such guarantees can consist of the BCR’s application, of standard clauses adopted by the Commission, of clauses regarding data protection adopted by a national supervisory authority or of contractual clauses authorized by a supervisory authority.
Many are the safeguard measures adopted, deriving from national and European legislation as a guarantee of safe transfer to third countries. It is well said that an adequate knowledge and a punctual application of such measures will allow companies to operate, by transferring data in third countries, without many obstacles and without having any limits to their own actions.
2 Recital 103 and art.45 of the EU Regulation 679/2016