Are You Ready for Brazil’s New Data Protection Law?
27 December 2018
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on...
Blog: Chronicle of Data Protection | 05 June 2012
Written by Gonzalo F. Gállego and Belén Gámez
It is well-known that international transfers of personal data from EU data controllers to data processors based in "countries not granting an adequate level of protection" ("Third Countries"), are subject to certain requirements provided for in the laws implementing the Data Protection Directive (95/46/EC) (the "Directive") in each EU Member State. While there are other mechanisms and exceptions, generally speaking, for personal data to be transferred to Third Countries, the EU controller and the processor in the Third Country must enter into a contract using EU-approved Standard Contractual Clauses. See Standard Contractual Clauses for the Transfer of Personal Data to Processors established in Third Countries approved by the EU Commission in its Decision 2010/87/EU (the "EU Standard Contractual Clauses"). In addition, depending on the EU Member State where the exporter is based, the international transfer may be also subject to notification and/or authorization requirements.
While transfers arising under these requirements may sometimes not be easy to implement, they at least are clear and relatively harmonized across the different EU Member States.
Greater challenges arise in scenarios where a data processor in the European Economic Area ("EEA") is providing services to a data controller also in the EEA and the data processor wants to sub-contract part of the services to companies based in Third Countries. These third parties will also be involved in the processing of the data and will be sub-processors. The use by EU processors of sub-processors in Third Countries is becoming increasingly common for many services including Information Technology, Business Process Outsourcing, and call center operations. It is already standard in the Cloud Computing environment.
Under Spanish law, access to personal data by sub-processors in Third Countries implies an international transfer subject to the requirements mentioned above. In Spain, such requirements consist in obtaining an authorization from the Spanish Data Protection Agency ("SDPA").
Until now, data controllers were the only ones entitled to request authorizations from the SDPA. Therefore, when a data processor in Spain wanted to use sub-processors in Third Countries, the data processor needed to ask its customer (i.e. the data controller in Spain) to request an authorization from the SDPA every time a sub-processor was used. Moreover, in order to obtain the mentioned authorization, the data controller was also required to enter into the Standard Contractual Clauses with each sub-processor in a Third Country (the data importer).
This situation caused significant inconveniences for services providers operating in the Spanish market. The advantages inherent to the services they provide (e.g., quality, flexibility, etc.) and the ability to use resources offshore (e.g. less costs, availability, etc.) were offset by the administrative budens in requiring their data controller customers to enter into numerous Standard Contractual Clauses with the service provider's sub-processors and to obtain authorizations of the SDPA. Fulfilling the data protection requirements was so burdensome that some data controller preferred not to contract for certain services they otherwise would, resulting in inefficiencies and lost commercial opportunities for service providers.
This situation has changed recently in Spain thanks to a new procedure established by the SDPA, which allows data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries.
The key elements of this new procedure are the following ones:
Given the novelty of these clauses, it is foreseeable that in application new issues may arise. In any case, we anticipate that the New Processor–Sub-processor Clauses in Spain will be a significant improvement for service providers wanting to contract with sub-processors.