Diritti interna

Doveri interna

ricerca avanzata

Standard Contractual Clauses and Cross-Border Data Transfers Via a Data Processor Established in the EU - Decision of 15 November 2012 [4085265]

VERSIONE ITALIANA

[doc. web n. 4085265]

Standard Contractual Clauses and Cross-Border Data Transfers Via a Data Processor Established in the EU - Decision of 15 November 2012

THE ITALIAN DATA PROTECTION AUTHORITY,

Having convened on this day, in the presence of Mr. Antonello Soro, President; Ms. Augusta Iannini, Vice-President; Prof. Licia Califano, Member; and Mr. Giuseppe Busia, Secretary General;

Having regard to the Personal Data Protection Code (legislative decree No. 196 of 30 June 2003, hereinafter "the Code"), in particular Sections 2(2) and 29 thereof;

Having regard to Section 44(1) b) of the Code, whereby personal data may be transferred to non-EU countries if this is authorized by the Italian DPA on the basis of adequate safeguards for data subjects´ rights as determined by the European Commission through the decisions mentioned in Article 26(4) of Directive 95/46/EC, of the European Parliament and of the Council, of 24 October 1995;

Having regard to Section 154(1) c) of the Code, whereby the Italian DPA may require, also of its own motion, that data controllers take such measures as are necessary and appropriate to bring the processing into line with the legislation in force;

Having regard to the DPA´s Resolution No. 35 of 27 May 2010 (published in Italy´s Official Journal No. 141 of 19 June 2010), which authorized data controllers (data exporters) established in the State´s territory to transfer personal data to data processors (data importers) established in a non-EU country that does not afford adequate protection in pursuance of the standard contractual clauses that are annexed to the European Commission´s Decision No. 2010/87/EU of 5 February 2010 (published in the Official Journal of the European Communities L 39/5 of 12 February 2010);

Noting that the above Resolution also applies to the case where a data processor established in a third country and processing personal data on behalf of an EU-based data controller subcontracts the processing of such data to another processor (hereinafter the "sub-processor") that is established in a third country affording no adequate protection;

Whereas following adoption of the above Resolution, several questions were submitted to this DPA in order to clarify whether the standard contractual clauses annexed to the European Commission´s Decision No. 87/2010/EU of 5 February 2010 may also be relied upon if the data processor subcontracting the processing to a sub-processor in a non-adequate third country is established in the EU;

Noting that the above questions arise from the growing recourse by industry to the outsourcing of certain data processing activities to third parties - with the resulting need for the private sector to rely on standard instruments and harmonized mechanisms whenever the said outsourcing entails the transfer of personal data to third countries affording no adequate protection;

Noting that Recital 23 in the European Commission´s Decision No. 87/2010/EU of 5 February 2010 affirms that the model clauses annexed thereto may not be relied upon in cases where the data importer is not established in a non-EU country;

Noting that the above provision was reiterated, inter alia, by the Article 29 Working Party via its document No. WP176 of 12 July 2010, addressing several FAQs with a view to the entry into force of the European Commission´s decision No. 2010/87/EU of 5 February 2010;

Whereas it is nevertheless necessary to meet the demands coming from the private sector by fostering simplification measures in connection with cross-border data transfers, especially whenever an EU-based data processor processes personal data on behalf of an EU-based data controller and subcontracts the processing to a "sub-processor" established in a third country where no adequate protection is afforded (see Section 2(2) of the Code);

Whereas the Commission has left it to Member States – as already determined by the Article 29 Working Party, see paragraph 1.1 of its Opinion 3/2009 published as Document No. WP161 of 5 March 2009 – to take account of the circumstance that "the principles and safeguards of the standard contractual clauses set out in this Decision" should be applied "with the intention of providing adequate protection for the rights of data subjects whose personal data are being transferred for sub-processing operations" if processing is subcontracted to a "sub-processor";

Having found that it is accordingly appropriate – as already determined by the DPA in its resolution No. 35 of 27 May 2010 (see item 1 of the operative part thereof)  - for a data controller transferring personal data from the State´s territory to non-EU countries to be allowed to rely on the model contractual clauses that are annexed to the European Commission´s decision No. 2010/87/EC of 5 February 2010 also if the transfer in question results from the circumstance that an EU-based data processor appointed by the said controller subcontracts the processing to a "sub-processor" in a third country where no adequate protection is afforded;

Whereas one can envisage to that end that the EU-based data processor undersigns the model contractual clauses relied upon to subcontract the processing to the "sub-processor" on the basis of an explicit mandate conferred by the data controller under Section 1704 of the Civil Code – as also suggested by the Article 29 Working Party in the aforementioned document WP176 (see FAQ I.3, letter b), p. 4);

Taking also note of the additional guidance provided by the Article 29 Working Party, to the effect that the data controller should "agree in advance to the contents of the Appendices 1 and 2 of the Model Clauses 2010/87/EU" in the above cases, and that "it is up to the data exporter to decide whether the mandate will be general (generally allowing the subprocessing of the data described in Appendices 1 and 2) or specific (specific mandate for each new subprocessing)";

Whereas under Section 29(1) and (4) of the Code the data processor is appointed by the data controller and the tasks committed to the data processor must be detailed in writing;

Considering it necessary that the tasks to be committed as above include the mandate conferred by the data controller on the data processor to undersign, in his name and on his behalf, the model contractual clauses contained in the aforementioned Decision, if personal data are to be transferred to a "sub-processor" that is established in a non-adequate third country;

Noting that the data processor is required to process data by complying with the instructions given by the data controller, which also applies to the contents of Appendices 1 and 2 of the model contractual clauses in question (see Section 29(5) of the Code and FAQ I.3, letter b), p. 4 of Document WP176 of 12 July 2010);

Whereas, regarding the personal data transfer at issue, "exporter" shall be the data controller conferring mandate on the EU-based data processor to undersign the aforementioned model clauses in accordance with clause 1, letter b); "importer" shall be the "sub-processor" established in a third country where no adequate protection is afforded under the terms of clause 1, letter c) (see also FAQ I.3, letter b), p. 4 of Document WP176 of 12 July 2010);

Having regard to the documents on file;

Having regard to the considerations submitted by the Office via the Secretary General under the terms of Article 15 of the DPA´s Rules of Procedure No. 1/2000;

Acting on the report submitted by Mr. Antonello Soro;

BASED ON THE ABOVE PREMISES

1. Orders, under Section 2(2) and 154(1) letter c), of the Code and without prejudice to the parties´ freedom of contract as regards the management of their commercial relations, that a data controller established in the State´s territory (so-called "exporter"), having appointed an EU-based data processor that plans to sub-contract the processing of data to another data processor established in a third country where no adequate protection is afforded (so-called "importer"), confers a specific mandate on the EU-based data processor under Section 1704 of the Civil Code to undersign the model contractual clauses annexed to the European Commission´s decision No. 87/2010/EU of 5 February 2010 as approved by this DPA via its resolution No. 35 of 27 May 2010; this shall be without prejudice to the data controller´s right to apply for an ad-hoc authorization from the DPA under Section 44(1), letter h), of the Code if such data controller plans to transfer the personal data without relying on the said mandate;

2. Provides that the data controller should refer to the above task as part of the functions committed to the EU-based data processor, pursuant to Section 29(4) of the Code, whilst the latter should fill out the Appendices 1 and 2 of the model contractual clauses in accordance with the relevant instructions as given by the data controller under Section 29(5) of the Code.

Done in Rome, this 15th day of the month of November 2012

THE PRESIDENT
Soro

THE RAPPORTEUR
Soro

THE SECRETARY GENERAL
Busia