We are discussing in our video blogs some practical tips for successful outsourcing. We are now sharing some thoughts on one of the most popular legal issues in offshore outsourcing, the compliance with the applicable data protection laws.
The transfer of personal data from a customer/outsourcer based in Italy to a provider/outsourcee based in an extra EU jurisdiction can be carried out only if there is a sound legal basis to do so.
I briefly summarize below two of the most relevant issues to be taken into account and that should be carefully assessed before commencing any offshore outsourcing transaction. Such issues should no doubt be taken into account also with any cloud based services.
1. Privacy organization structure
The very first issue to be addressed is the "privacy organization structure" of the transaction.
There are no doubts that the client is the data controller in respect to the relevant data subjects' personal data. But what about the service provider? Should it be considered as an independent data controller or as a data processor acting on behalf of the data controller? This is something that should be assessed on a case-by-case basis and duly regulated by the parties with the outsourcing agreement, bearing in mind that any choice will have specific consequences for both the customer and the service provider. It should also be noted that, regardless of how the parties define and regulate their relationship, the Italian Data Protection Authority and the Italian Courts will have the power to freely assess such relationship and unilaterally evaluate the legal ground which may justify the data communication from the customer to the service provider
1.1 Service provider acting as external data processor
Customers typically want to appoint the service providers as "responsabile del trattamento" (data processor). Pursuant to section 29 of the Italian Privacy Code, where designated, the "responsabile" shall be selected among individuals that can appropriately ensure, on the basis of their experience, capabilities and reliability, full compliance with the provisions in force applying to processing of personal data as well as to security matters. In such way data controllers do not have to obtain the prior consent of the relevant data subjects for the disclosure of their personal data to a third party or find an alternative legal basis for the disclosure of the data. The other side of the coin is that under the Italian Privacy Code customers remain in principle liable in case of breach of the applicable privacy law by the data processors acting on their behalf, both for "culpa in eligendo" (i.e. negligence in choosing the supplier) or "culpa in vigilando" (i.e. negligence in monitoring the supplier). It would therefore be crucial for such customers to include an indemnity clause for breach of law into the outsourcing agreement.
Section 29 of the Italian Privacy Code also provides for that the tasks designated to the "responsabile" shall be detailed in writing by the data controller, which shall supervise the work of the "responsabile" thorough compliance with both said instructions and the applicable privacy law, also by means of regular controls. Complying with such provision is very difficult when the service provider's terms and conditions cannot be negotiated or when the outsourcing agreement does not contain an adequate audit clause.
1.2 Service provider acting as independent data controller
It may happen that the service provider does not want to be appointed as external data processor or to negotiate its standard terms and conditions to comply with section 29 of the Italian Privacy Code. Since in such case the service provider acts as an independent data controller to whom the personal data are communicated by the data subject, it would be required to determine a valid legal basis for such data communication. This is a crucial issue since the Italian Privacy Code does not consider the "legitimate interest of the data controller" (section 7(f) of Directive 95/46/EC) as a sound legal basis for processing personal data without the data subjects' prior and informed consent, unless there is a specific decision of the Italian Data Protection Authority authorizing such processing. Therefore, since the Authority has never issued any authorization for outsourcing transactions, customers should provide evidence of having obtained the prior and informed consent of the relevant data subjects to the communication of the personal data to third-party service providers or that the communication is necessary for the performance of a contract to which the data subject is party (e.g. the agreement with the data subject contains a clause pursuant to which the company reserves the right to entrust third-party service providers with the performance of the agreement).
2. Transborder data flows
Regardless of whether the service provider acts as an independent data controller or as a data processor, the parties should ensure that the transfer of personal data outside the EU complies with sections 42-45 of the Italian Privacy Code.
Under Italian law, personal data may be transferred from the Italian territory to countries outside the European Union, temporarily or not and in any form and by any means whatsoever:
a) if the data subject has given his/her consent either expressly or, where the transfer concerns sensitive data, in writing;
b) if the transfer is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract, or for the performance of a contract made in the interest of the data subject.
The transfer of processed personal data to a non-EU Member State is also permitted if it is authorized by the Italian Data Protection Authority on the basis of adequate safeguards for data subjects’ rights:
a) as determined by the Italian Data Protection Authority also in connection with contractual safeguards, or else by means of rules of conduct as in force within the framework of companies all belonging to the same group (binding corporate rules);
b) as determined via the decisions referred to in Articles 25(6) and 26(4) of Directive 95/46/EC of the European Parliament and of the Council, of 24 October 1995, through which the European Commission may find that a non-EU Member State affords an adequate level of protection, or else that certain contractual clauses afford sufficient safeguards.
It is in any case prohibited to transfer personal data that are the subject of processing from the State’s territory to countries outside the European Union, temporarily or not and in any form and by any means whatsoever, if the laws of the country of destination or transit of the data do not ensure an adequate level of protection of individuals.
Clients should therefore always check which is the destination country of the personal data and verify which legal basis may justify the transfer.
Want to know more on the above? Feel free to contact me, Marco Leone (firstname.lastname@example.org).