- Lynn Pype - Griet Verfaillie
- data processing , data exporter , data importer , controller , processor , sub-processor , framework agreement
Companies mostly opt to contract out the processing of personal data, such as for instance a customer database, to companies that are not established in the European Union and in principle do not have to meet the requirements set by the “Personal Data Protection” Directive.(1)
As a result the safety of the handling of the personal data may be at stake.
The "transfer" of personal data to third countries that do not have an adequate level of protection (as regards the handling of personal data) is made possible, inter alia through protection by way of an agreement that is binding both with respect to the data exporter and the data importer.
In order to ensure the safety of the handling of the personal data, the European Commission has already drawn up a number of standard agreements in the past, in which the provisions of the "Personal Data Protection" Directive are contractually included.(2)
The responsibilities imposed by these contracts vary according to the parties’ capacities.
On the one hand there is the "Controller". He is the one who has the control of the personal data and who gives instructions regarding their processing.
Then there is the "Processor". He acts on instruction of the Controller.
Finally, an appeal can still be made to a "Sub-Processor", who as it were carries out tasks as a subcontractor of the Processor.
The Standard Agreements that are already available refer to the relationship between the European Controller (Data Exporter), and the non-European Controller (Data Importer), as well as to the relationship between the European Controller and the non-European Processor and his non-European Sub-Processor.
There was consequently no specific Standard Agreement to regulate the relationship between a European Processor of personal data and a non-European Sub-Processor. However, it is not inconceivable that a European Processor opts to engage a Sub-Processor from a third country. In order that also this relationship would provide for the necessary guarantees, on 21 March 2014 a proposal was launched in order to remedy this gap.
The contents of the new Standard Agreement are similar to the Standard Agreements that are already being used. One of the main features of such agreement is the Third Party Beneficiaries clause. On that basis, a data subject whose data are processed can bring an action if a party fails to comply with its contractual obligations. This clause ensures that the individual (data subject) can enforce and taken action to protect his data rights in the first place against the Data exporter and, should the Data Exporter no longer exist, against the Data Importer and in the last instance against the Sub-Processor.
In the existing Standard Agreement, the Controller was always the Data Exporter. The new agreement provides that the personal data are transferred by the Processor.
Nevertheless, the Controller will in the first place remain liable, should an individual suffer damage as a result of an incorrect operation in the processing. Only if the Controller no longer exists, the individual can take action against the Data Exporter and the Data Importer-Processor.
However, the data subject concerned cannot take action against the Controller under such agreement. A clause in favour of third parties creates a tripartite relationship, and the Controller would be a fourth party, which is not allowed by this construction. The liability of the Controller and the rights of action of the individual concerned will, therefore, result from the framework agreement entered into by the Controller with the Processor-Exporter.
The conclusion of a framework agreement is an obligation the Data Exporter-Processor must have fulfilled, if he wants to transfer personal data to a Data Importer-Processor. In such framework agreement the Controller must undertake a series of obligations that should ensure the safety of the processing.
Having regard to the fact that the Controller is not a party to the new agreement, he will have every reason to give his Processors clear and explicit instructions regarding the processing and under which circumstances action can be taken against a Data Importer-Sub-Processor. After all, the Controller will remain the first point of contact.
In any case, it is good news that a uniform legal framework for the transfer of personal data between European and non-European Processors will be provided for. This proposal will now be evaluated by the European Commission and only if the Commission’s conclusion is positive, the new standard agreement can be used.
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
2 Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries and Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries.