Diritti interna

Doveri interna

Search Form Portlet

ricerca avanzata

g-docweb-display Portlet

Cross-Border Data Transfers Authorisation Granted to Accenture (UK) Ltd. – 27 June 2013 [4085200]

versione italiana

 

[doc. web n. 4085200]

Cross-Border Data Transfers Authorisation Granted to Accenture (UK) Ltd. – 27 June 2013

THE ITALIAN DATA PROTECTION AUTHORITY,

Having convened today, in the presence of Mr. Antonello Soro, President; Ms. Augusta Iannini, Vice-President; Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members; and Mr. Giuseppe Busia, Secretary-General;

Having regard to Article 25(1) and (2) of Directive 95/46/EC, of the European Parliament and of the Council, of 24 October 1995, whereby personal data may be transferred to a third country if the latter country ensures an adequate level of protection;

Having regard to Article 26 of the said Directive, setting forth derogations from the above principle to the effect that a Member State may authorize a transfer or a set of transfers to a third country which does not ensure an adequate level of protection if the data controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights;

Having regard to legislative decree No. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter the "Code");

Having regard, in particular, to Article 44(1), letter a), of the Code, whereby personal data may be transferred to a non-EU country if the transfer is authorized by the Italian DPA on the basis of adequate safeguards for data subjects´ rights, which may be determined by the DPA also in the light of corporate rules as in force for companies belonging to the same corporate group – being the so-called Binding Corporate Rules (hereinafter, "BCR");

Whereas the above provision empowers a data subject to claim their rights in the State´s territory pursuant to the Code also in case of non-compliance with the safeguards set forth in BCR;

Whereas the Article 29 Working Party (set up by Article 29 of Directive 95/46/EC) is tasked, among other things, with providing interpretations and opinions to ensure harmonized, EU-wide application of the principles contained in the Directive; whereas the Working Party has found that the BCR may be an instrument for transferring personal data to third countries such as to ensure, generally speaking, an adequate level of protection of data subjects´ rights, and that they are accordingly compatible with the provisions set forth in Directive 95/46/EC – see, in particular, Article 26(2) thereof;

Having regard to the specific requirements set forth by the Article 29 Working Party in its documents WP74 of 3 June 2003, WP108 of 14 April 2005, and WP153 of 24 June 2008, which must be complied with by any BCR a multinational group plans to rely upon in order to be granted the necessary national authorisations to perform cross-border data transfers within the corporate group;

Whereas, moreover, the Article 29 Working Party has adopted an additional opinion (WP107 of 14 April 2005) setting out the cooperation procedure for granting the national BCR-related authorisations; whereas the latter opinion provides, among other things, that the procedure in question should be coordinated by the DPA from one of the EU Member States concerned by the data transfers and that such DPA should act as the "lead authority";

Whereas the aforementioned opinion provides additionally that the lead authority should forward the so-called "final draft" BCR to the other DPAs involved, having completed the cooperation procedure, in order to allow those DPAs to verify that the draft meets the requirements to grant the relevant national authorization;

Having regard to the application received by the Italian DPA on 8 September 2006 and lodged with the UK Data Protection Authority (Information Commissioner´s Office, hereinafter "ICO"), which was determined to be the lead authority as for the relevant procedure, by  Accenture (UK) Ltd., being a company of the Accenture Group working in the management consultancy, system integration & technology and corporate services sectors whose holding, i.e. Accenture Ltd., is headquartered in the USA;

Noting that the above application was lodged by Accenture (UK) Ltd., having its registered office in the United Kingdom, in the name and on behalf of the holding company as well as of all the subsidiaries thereof whether controlled directly or indirectly by the latter;

Taking note that the above application is aimed at being granted the authorization to carry out intra-group transfers to third countries of the personal data relating to: "(past and current) employees, job applicants, client contacts, suppliers, website users and shareholders" (See "Global Data Privacy Policy 90", paragraph 1.2) for the purposes related to "planning, HR selection, management of employees´ performance and vocational development, wages, management of funds and accounting, management of equity offering plans and relevant activities, corporate and market development, setting up and management of external relations, planning and implementation of corporate integration resources, research and development, technological infrastructure and support and management of facilities, travel management, knowledge management, and any additional purposes under laws or regulations in force" (see "Global Data Privacy Policy 90", paragraph 1.2.) by way of the adoption of Binding Corporate Rules, i.e. the so-called "Accenture´s BCR";

Taking note that Accenture´s BCR consist of an intra-group agreement called "Accenture Inter-company Agreement" (hereinafter "ICA"), which includes Annex 1 listing the Accenture Group companies that undertake to abide by the ICA clauses (i.e. the so-called "Data Importers") along with Annex 2 concerning the "Global Data Privacy Policy 90" (hereinafter, "Policy 90");

Taking note that the "Policy 90" also includes Memorandum A – "The Application of and Compliance with Data Privacy Policy", Memorandum B – "Procedures for Responding to Individuals´ Requests to Exercise Their Rights under Global Data Privacy Policy", and Memorandum C – "Complaint Handling Procedure";

Considering that the ICA consists of an agreement between every Accenture Group company that undersigns the agreement as a Data Exporter and Accenture (UK) Ltd acting both on its own behalf as "Data Confidentiality Manager" and on behalf of all other Data Importers;

Taking note that "Each Data Importer shall make sure that its own subsidiaries abide by this agreement as if each of them had undersigned it in its capacity as a Data Importer" (see Clause 2.4 of the ICA);

Considering furthermore that the ICA lays down the rules to be followed in drafting subsequent agreements on cross-border transfers of personal data between Accenture group companies, which must include similar clauses to the ICA ones (see ICA, Clause 2.1);

Taking note that the ICO, having concluded the cooperation procedure for Accenture´s BCR pursuant to the arrangements set out in WP107, forwarded the relevant final draft to the DPAs involved in the said procedure on 23 April 2009 and informed such DPAs thereafter that it had granted the respective national authorization on 30 April 2009 (see ICO´s BCR Authorisation, Appendix 1, No. 4 of 30 April 2009);

Whereas the Italian DPA confirmed on 20 March 2009 that Accenture´s BCR were compliant with the adequacy criteria set forth in WP29´s documents; whereas it drew ICO´s attention to the need for the BCR in question to allow data subjects to easily access the information they contained with particular regard to the third-party beneficiary clause (see the DPA´s letter of 20 March 2009);

Having regard to the application that Accenture S.p.A., Accenture Technology Solutions S.r.l., Accenture Outsourcing S.r.l., Accenture Insurance Services S.p.A., Accenture HR Services S.p.A. and Accenture Finance and Accounting BPO Service S.p.A., having their registered offices in Milan, lodged with the Italian DPA on 30 January 2012 pursuant to Section 44(1), letter a), of the Code in order to be granted the national authorization to carry out intra-group transfers of personal data relating to employees, including job applicants, and other categories of data subject (i.e. client contacts, suppliers, website users and shareholders) from the State´s territory to third countries by way of Accenture´s BCR;

Having regard to the requests for additional information and documents made by the Italian DPA to the aforementioned companies on 28 March, 29 May and 28 September 2012 and on 28 March 2013, which were aimed at clarifying specifically the following:

- The concept of "data owner";

- The categories of data relating to data subjects with particular regard to the concept of "client contacts";

- Compliance of the third-party beneficiary clause as per Clause 4 of the ICA with the requirements made in WP29´s documents (see WP74, paragraphs 3.3.2 and 5.5.1, and WP108, paragraph 5.12 and ff.) as well as the specific scope of application of such clause in case of any breaches of Memorandums A, B, and C only (see Clause 4.5 of the ICA);

- Liability arrangements and jurisdiction criteria;

-  A list of the rights data subjects may exercise by specifying, in particular, where the "rights of erasure and blocking of data" are to be found in the BCR;

- Compliance with transparency obligations (see WP74, paragraph 5.7, and WP153, paragraph 1.7) with particular regard to the third-party beneficiary clause;

Whereas the companies replied to the DPA on the aforementioned issues via letters dated 13 December 2012 and 14 May 2013 and undertook full liability therefor pursuant to Section 168 of the Code, to the effect that:

- "data owner" as translated to "titolare dei dati" in the Italian version of the ICA corresponded to the concept of "data subject" under Directive 95/46/EC;

- The personal information in whose respect an authorization was being applied for concerned a) "employees" including "staff employed currently and in the past" and "job applicants"; b) "client contacts, suppliers, website users and shareholders", whereby "client contacts refer to the commercial contact information concerning natural persons insofar as they are current or prospective clients or intermediaries, which information is collected as part of standard business and commercial practices";

- Clause 4 of the ICA contained the third-party beneficiary clause; as such, "it is intended to afford several rights to data subjects in accordance with the requirements laid down in documents WP74 and WP108", whilst Clause 4.5 should be construed to refer to the Memorandums by way of listing the "mechanisms to implement the rules contained in the Policy 90 rather than such rules per se";

- As for the liability clause and the choice of jurisdiction issue (see WP74, paragraphs 3.3.1, 5.5.1, 5.5.2 and 5.6; WP153, paragraph 1.4), the Accenture Group implemented a system whereby – given the peculiarities of its corporate structure – "the entity at the origin of the transfer remains fully responsible for the data it has collected" and "the individual can bring a claim in the jurisdiction at the origin of the transfer.";

- Regarding data subjects´ rights,  Accenture´s BCR do not explain the right to block and erasure explicitly, but they leave the (additional) individual´s rights unprejudiced as set forth in domestic law; thus, "Accenture would, of course, comply with any request by individuals to block or erase Italian personal data";

- As for transparency obligations, third party beneficiary´s rights are laid down in the "European Country Supplements to Policy 90", which "form an integral part of Policy 90 itself" and "are widely known" since they are "made available on the Policies website and are mentioned in data privacy related training sessions.";

Noting, nevertheless, that the processing of personal data will only be lawful – also upon granting of this authorization – if it is in line with the domestic legislation in force, including subsequent amendments thereof, as well as with the specific data protection provisions as related, in particular, to fulfilment of the lawfulness requirements regarding collection of the data to be transferred and communication of such data;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant personal data processing legislation may not be used;

Whereas the Italian DPA is tasked under Section 154(1), letters a) and d), of the Code with checking compliance of processing operations with the applicable legislation and may, also of its own motion, ban or block processing operations and/or take such additional measures as are provided for by the said legislation;

Having regard to official records;

Having regard to the considerations submitted by the Office via the Secretary General under Article 15 of the DPA´s Rules of Procedure No. 1/2000;

Acting on the report submitted by Mr. Antonello Soro;

BASED ON THE ABOVE PREMISES,

a. Under Section 44(1), letter a), of the Code, authorizes Accenture S.p.A., Accenture Technology Solutions S.r.l., Accenture Outsourcing S.r.l., Accenture Insurance Services S.p.A., Accenture HR Services S.p.A. and Accenture Finance and Accounting BPO Service S.p.A to transfer, within the framework of the Accenture Group, the personal data relating to "employees" and "client contacts, suppliers, website users and shareholders" from the State´s territory to Accenture Group companies having their registered offices in non-EU countries, in accordance with the mechanisms laid down in Accentures´ BCR and exclusively for the purposes referred to therein;

b. Under Section 154(1), letters a) and d), of the Code, reserves the right to at any time carry out the necessary controls on lawfulness and fairness of the data transfers as well as on any processing operations related thereto and to take, where necessary, measures such as to possibly ban or block the processing in question.

Done in Rome this 27th day of the month of June 2013

THE PRESIDENT
Soro

THE RAPPORTEUR
Soro

THE SECRETARY GENERAL
Busia