g-docweb-display Portlet

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

versione italiana

 

[doc. web n. 3346765]

Cross-Border Data Transfers Authorisation Granted to Ernst & Young Global Limited – 23 January 2014

THE ITALIAN DATA PROTECTION AUTHORITY,

Having convened today, in the presence of Mr. Antonello Soro, President; Ms. Augusta Iannini, Vice-President; Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members; and Mr. Giuseppe Busia, Secretary-General;

Having regard to Article 25(1) and (2) of Directive 95/46/EC, of the European Parliament and of the Council, of 24 October 1995, whereby personal data may be transferred to a third country if the latter country ensures an adequate level of protection;

Having regard to Article 26 of the said Directive, setting forth derogations from the above principle to the effect that a Member State may authorize a transfer or a set of transfers to a third country which does not ensure an adequate level of protection if the data controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights;

Having regard to legislative decree No. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter the "Code");

Having regard, in particular, to Article 44(1), letter a), of the Code, whereby personal data may be transferred to a non-EU country if the transfer is authorized by the Italian DPA on the basis of adequate safeguards for data subjects´ rights, which may be determined by the DPA also in the light of corporate rules as in force for companies belonging to the same corporate group – being the so-called Binding Corporate Rules (hereinafter, "BCR");

Whereas the above provision empowers a data subject to claim their rights in the State´s territory pursuant to the Code also in case of non-compliance with the safeguards set forth in BCR;

Whereas the Article 29 Working Party (set up by Article 29 of Directive 95/46/EC) is tasked, among other things, with providing interpretations and opinions to ensure harmonized, EU-wide application of the principles contained in the Directive; whereas the Working Party has found that the BCR may be an instrument for transferring personal data to third countries such as to ensure, generally speaking, an adequate level of protection of data subjects´ rights, and that they are accordingly compatible with the provisions set forth in Directive 95/46/EC – see, in particular, Article 26(2) thereof;

Having regard to the specific requirements set forth by the Article 29 Working Party in its documents WP74 of 3 June 2003, WP108 of 14 April 2005, and WP153 of 24 June 2008, which must be complied with by any BCR a multinational group plans to rely upon in order to be granted the necessary national authorisations to perform cross-border data transfers within the corporate group;

Whereas, moreover, the Article 29 Working Party has adopted an additional opinion (WP107 of 14 April 2005) setting out the cooperation procedure for granting the national BCR-related authorisations; whereas the latter opinion provides, among other things, that the procedure in question should be coordinated by the DPA from one of the EU Member States concerned by the data transfers and that such DPA should act as the "lead authority";

Whereas the Italian Data Protection Authority has joined the "Declaration on mutual recognition" whereby the aforementioned cooperation procedure can be finalized more expeditiously since the favourable opinion rendered by the lead authority on the so-called "final draft" BCR may provide the legal basis for granting the relevant national authorization;

Having regard to the application received by the Italian DPA on 9 January 2012 and lodged with the UK Data Protection Authority (Information Commissioner´s Office, hereinafter "ICO"), which was determined to be the lead authority as for the relevant procedure, by  Ernst & Young Global Limited, being a company of the Ernst & Young network working in the professional auditing and accounting management, taxation,  transaction and advisory services sectors;

Noting that the above application was lodged by Ernst & Young Global Limited, a company having its registered office in the United Kingdom which is tasked with personal data protection responsibilities as part of the Ernst & Young network; that the above application is aimed at being granted the authorization to carry out intra-group transfers to third countries of the personal data relating to "employees, partners, customers, directors, former employees, former partners, former customers, former directors, family members, contractors/sub-contractors, clients, suppliers" for so-called commercial purposes as specified under the terms of Section 7 of the Application Form,  by way of the adoption of Binding Corporate Rules, i.e. the so-called "Ernst & Young BCR";

Taking note that Ernst & Young BCR consist of a corporate policy called "BCR Plan for Ernst & Young Data Protection" (hereinafter "BCR policy") along with 6 attachments – namely, "Appendix 1 – Roles and responsibilities concerning data protection"; "Appendix 2 – Procedures for data subject access requests"; "Appendix 3 – Compliance protocol evaluation"; "Appendix 4 – Complaint management procedure"; "Appendix 5 – Cooperation procedure"; "Appendix 6 – Update procedure";

Whereas Ernst & Young network consists of a global network of independent legal entities ("Member Firms") that are bound to comply with a set of rules (so-called "Ernst & Young rules") by way of an "Association Agreement";

Taking note that the aforementioned "Association Agreement" is undersigned by each Member Firm and by Ernst & Young Global Limited, the company tasked with fostering cooperation and coordination of Member Firms in its capacity as central governance body of the network;

Taking into account that the said "Ernst & Young rules" set forth that Member Firms are required to implement and keep common standards, methodologies and policies including those related to personal data protection, and that the "BCR policy" is one of the said common policies of the Ernst & Young network;

Considering, additionally, that all Member Firms are subjected to controls under the "Association Agreement" and "Ernst & Young rules" in order to assess compliance with common rules and policies, under penalty of the imposition of sanctions including termination of the said "Association Agreement";

Taking note that the "BCR Policy" is published on the website of the Ernst & Young network (see "BCR Policy", p. 1);

Considering that on 21 December 2012 the ICO forwarded the relevant final draft to the EU DPAs concerned after completing the European procedure for Ernst & Young BCR in pursuance of the mutual recognition mechanisms, and that ICO certified the said BCR to comply with the requirements laid down in the WP29 documents mentioned above;

Whereas the Italian DPA confirmed reception of the final draft of Ernst & Young BCR on 14 February 2013 and reserved the right to evaluate compliance of the said draft with Italian legislation by way of the national authorization procedure;

Having regard to the application lodged on 12 July 2013 under Section 44(1), letter a), by Studio Legale Tributario in association with Ernst & Young, Global Shares Services S.r.l., Ernst & Young Financial-Business Advisors S.p.A., with registered office in Milan, Reconta Ernst & Young and Ernst & Young Business School S.r.l., both having their registered offices in Rome, in order to be granted the national authorization for the Member Firms of Ernst & Young network to perform intra-group transfers by way of Ernst & Young BCR, with regard to the personal data relating to "employees", including former employees, partners, directors and executives for administrative and accounting purposes and "to fulfil legal and regulatory obligations"; prospective employees and partners, directors and executives for the purposes related to recruitment of staff and the setting up of employment or collaboration relationships; "clients", "suppliers", "contractors", "sub-contractors" and "other third parties"  for "operations relating to corporate activities" and "to fulfil legal and regulatory obligations"; family members, spouses or equivalent dependents of current and former employees, directors, executives and partners as well as the emergency contact persons of current or former employees, directors, executives and partners for "personnel management"  and "communication and emergency" purposes and "to fulfil legal and regulatory obligations" (as set out in detail in the Table attached to this authorization, which is an integral part hereof – see "Annex 1");

Having regard to the information requests made by the Italian DPA on 4 November and 16 December 2013 and on 8 January 2014 to the aforementioned companies in order to get clarifications specifically on:

- The type of information to be transferred, the specific purposes aimed at and the entities concerned by the transfers as data subjects (see letters of 4 November 2013, item (a); 16 December 2013, items (a) and (b); 8 January 2014, items (a), (b), and (c) );

- The allocation of responsibilities and tasks in Ernst & Young network (see letter of 4 November 2013, item (b) );

- Compliance with the data protection Code of Part II of the BCR Policy (containing the "rules") (see letter of 4 November 2013, item (c) );

Whereas the company replied to the DPA on the aforementioned issues via letters dated 18 November 2013 and 7 and 9 January 2014 and undertook full liability therefor pursuant to Section 168 of the Code, to the effect that:

- Regarding the data subject categories and the type of personal information to be transferred, the authorization application refers to " ‘employees´ including current and former employees, partners, directors and executives for administrative and accounting purposes and ‘to fulfil legal and regulatory obligations´; prospective employees and partners, directors and executives for the purposes of activities related to staff recruitment and the setting up of employment or collaboration relationships; ‘clients´, ‘suppliers´, ‘contractors´, ‘sub-contractors´ and ‘other third parties´ for the purposes of ‘operations relating to corporate activities´ and ‘to fulfil legal and regulatory obligations´; family members, spouses or equivalent dependents of current and former employees, directors, executives and partners as well as the emergency contact persons of current and former employees, directors, executives and partners for the purposes of ‘personnel management´, ‘communications and emergencies´ and ‘to fulfil legal and regulatory obligations´ ". In particular, "the data subject categories relating to ‘clients´, ‘suppliers´, ‘contractors´ and ‘sub-contractors´ also include prospective, current and former clients, suppliers, contractors and sub-contractors; the category relating to ‘executives´ includes ‘heads of units/departments´ " (see letter of 9 January 2014);

- Regarding the purposes of the transfers at issue, such purposes are set out in detail in the Table that is attached to the letters of 7 and 9 January 2014 (see Annex I to this authorisation);

- As for the liability clause, the Ernst & Young network "has implemented a liability system within its BCR, on account of the peculiarities of its structure, whereby the personal data exporter is (fully) liable for whatever action brought following breaches of the said BCR"; this is explained "to data subjects in the BCR Section called ‘What are the practical consequences for the collection and use of personal data in the EEA´ " (see the company´s letter of 18 November 2013, item 2);

- As for Part II of the "BCR Policy", the Ernst & Young Network ensures full conformity of the principles set forth therein with the provisions of the Italian data protection Code; this applies, in particular, to the provisions on processing mechanisms (Section 11), the information to be provided to data subjects (Section 13), the lawfulness criteria applying to the processing of personal data (Sections 23 and 24), security measures (Section 31 et seq.), and the transfers of personal data to entities outside the network (Section 42 et seq.) (see letter of 18 November 2013, item 3);

Noting, nevertheless, that the processing of personal data will only be lawful – also upon granting of this authorization – if it is in line with the domestic legislation in force, including subsequent amendments thereof, as well as with the specific data protection provisions as related, in particular, to fulfilment of the lawfulness requirements regarding collection of the data to be transferred and communication of such data;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant personal data processing legislation may not be used;

Whereas the Italian DPA is tasked under Section 154(1), letters a) and d), of the Code with checking compliance of processing operations with the applicable legislation and may, also of its own motion, take such measures as are provided for by the said Code;

Having regard to official records;

Having regard to the considerations submitted by the Office via the Secretary General under Article 15 of the DPA´s Rules of Procedure No. 1/2000;

Acting on the report submitted by Ms. Augusta Iannini;

BASED ON THE ABOVE PREMISES,

a. Under Section 44(1), letter a), of the Code, authorizes Studio Legale Tributario in association with Ernst & Young, Global Shares Services S.r.l., Ernst & Young Financial-Business Advisors S.p.A., Reconta Ernst & Young and Ernst & Young Business School S.r.l. to transfer, within the framework of the Ernst & Young network, the personal data relating to "employees" – including former employees, partners, directors and executives - , prospective employees, prospective partners, directors and executives, "clients", "suppliers", "contractors", "sub-contractors", "other third parties", family members, spouses or equivalent dependents of current or former employees, directors, executives and partners, and emergency contact persons of current and former employees, directors, executives and partners, from the State´s territory to Ernst & Young network entities having their registered offices in non-EU countries, in accordance with the mechanisms laid down in Ernst & Young BCR and exclusively for the purposes referred to therein as set out specifically in Annex 1 to this authorisation;

b. Under Section 154(1), letters a) and d), of the Code, reserves the right to at any time carry out the necessary controls on lawfulness and fairness of the data transfers as well as on any processing operations related thereto and to take, where necessary, the measures provided for by the Code.

Done in Rome this 23rd day of the month of January 2014

THE PRESIDENT
Soro

THE RAPPORTEUR
Iannini

THE SECRETARY GENERAL
Busia

Scheda

Doc-Web
3346765
Data
23/01/14

Argomenti


Tipologie

Bcr

Documenti citati