New model set of contractual clauses for international data transfers from Spain: outsourcing of services

October 2014 | EXPERT BRIEFING | RISK MANAGEMENT

financierworldwide.com

Standard contractual clauses for international personal data transfers between a data processor and a subprocessor have now been approved in Spain.

Together with the standardised sets of contractual clauses for international controller to controller and controller to processor transfers approved by the European Commission by way of Decisions 2004/915/EU and 2010/87/EU, respectively, the Spanish Data Protection Agency has recently approved a new model set of standard contractual clauses.

The Spanish Agency has approved this new model set of contractual clauses based on the provisions of article 26(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and articles 33 of the Personal Data Protection Act 15/1999 of 13 December and 70(2) of its Implementing Regulation, approved by Royal Decree 1720/2007 of 21 December.

The new format covers a third instance of international data transfers, that is, between a service provider acting as a data exporter and a subcontractor acting as a data importer, or, in other words, between a data processor and a data subprocessor in a third (non-EU) country that does not ensure an adequate level of data protection. This international transfer model is designed for those cases where the data controller (located in Spain) authorises its data processor (also located in Spain) to outsource the agreed services to a subcontractor located in a country that does not ensure an adequate level of protection, and even provides for outsourcing to so-called subsequent subcontractors or any third parties that may be engaged by the latter.

In order to regulate such international data transfers, the Spanish Data Protection Agency has prepared standard contractual clauses based on and essentially following the same structure as the European ones. With respect to the substance, it is worth pointing out certain aspects included by the Spanish Agency.

The new model set of clauses lays down an obligation for the data controller and the data processor (acting as a data exporter for the purposes of the new model set of clauses) to sign the relevant framework or data access agreement pursuant to article 12(2) of the Personal Data Protection Act.

This framework agreement must include and guarantee the following: (i) the data controller’s obligation to process and continue processing the personal data pursuant to Spanish data protection legislation; (ii) the data controller’s instructions for the provision of services; (iii) the processing activities that are the subject matter of the provision of services and make up part of the same; (iv) the technical and organisational security measures implemented by the data exporter; (v) the data controller’s authorisation for the data exporter to sub-contract and transfer the personal data; (vi) the data exporter’s undertaking to obtain the appropriate authorisation from the data controller in the event of a possible subsequent outsourcing of data processing; (vii) the data exporter’s obligation to require the data importer and, as the case may be, the subsequent subprocessor, to adopt the appropriate technical and organisational security measures provided in the framework agreement; (viii) that the data exporter shall inform the data controller regarding the effective implementation of the security measures that were adopted; (ix) that the data importer and, as the case may be, the subsequent subprocessor, shall process the data in accordance with the instructions set out in the framework agreement; (x) if the transfer includes sensitive data, that the data controller shall inform the data subjects that their data may be transferred to a third country that does not ensure an adequate level of protection as defined in Directive 95/46/CE; (xi) mention of what will happen to the data, i.e., whether it is to be destroyed or returned, once the data importer and, as the case maybe, the subsequent subprocessor cease to provide personal data processing services; and (xii) that the data controller authorises the data exporter to take the necessary steps to obtain the required international data transfer authorisation from the Spanish Data Protection Agency.

It is worth pointing out that the standard clauses do not provide an express obligation for the data exporter to provide the Spanish Agency with a mandatory copy of the framework agreement when applying for the international transfer authorisation. It must be provided only when expressly required by the Spanish Data Protection Agency.

The clauses approved by the Spanish Agency include the definition of ‘subsequent subprocessor’ as any subprocessor engaged by the data importer or by any other subsequent subprocessor who agrees to receive personal data from the data importer or from any other subsequent subprocessor for the sole purpose of processing them on behalf of the data exporter in accordance with its instructions, with the provisions of the framework agreement, the terms of the clauses and the terms of the agreement concluded in writing.

In the case at hand, in order to apply for the relevant international data transfer authorisation, the data exporter must follow the same procedure provided for the other two cases of international data transfers described above.

Isabela Crespo is a senior associate at Gómez-Acebo y Pombo Abogados. She can be contacted on +34 91 582 92 23 or by email: icrespo@gomezacebo-pombo.com.

Isabela Crespo

Gómez-Acebo y Pombo Abogados