g-docweb-display Portlet

Authorisation To Use Standard Contractual Clauses ' EU Data Controllers to Non-EU Data Processors and Non-EU Data Processors to Non-EU Sub-Process...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1741786]

versione italiana 

Authorisation To Use Standard Contractual Clauses – EU Data Controllers to Non-EU Data Processors and Non-EU Data Processors to Non-EU Sub-Processors

The Italian Data Protection Authority

Having convened on this day, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan, Member, and Mr. Daniele De Paoli, Secretary General;

Having regard to Article 25 of directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, whereby personal data may be transferred to a third country if the third country in question ensures a level of protection that is considered adequate in the light of the criteria laid down in paragraph 2 thereof;

Having regard to Article 26 of the aforementioned directive, which sets forth some derogations from the above principle by providing that a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate protection level if the data controller adduces sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights, whereby such safeguards may in particular result from appropriate contractual clauses;

Having regard to paragraph 4 of the said Article 26, concerning the decisions of the European Commission on standard contractual clauses;

Noting that the European Commission found that some standard contractual clauses as per its decision dated 27 December 2001 (no. 2002/16/EC published in the Official Journal of the European Communities L 6/52 of 10 January 2002) afforded sufficient safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals and as regarded the exercise of the corresponding rights in case personal data were transferred to data controllers established in third countries which did not ensure an adequate level of protection;

Whereas the European Commission repealed  its decision no. 2002/16/EC by a decision dated 5 February 2010 (no. 2010/87/EU published in the Official Journal of the European Communities L 39/5 of 12 February 2010) and found that a new set of standard contractual clauses attached to the said decision also afforded sufficient safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals and as regarded the exercise of the corresponding rights in case personal data were transferred to third countries under the terms of directive 95/46/EC (see Recital 7 and Article 1 of decision no. 2001/87/EU);

Noting that the Commission´s decision concerns data transfers as performed from the State´s territory by a data controller established in the EU (data exporter) to a data processor for the same processing (data importer) established in a third country which does not ensure an adequate level of protection;

Noting, moreover, that the said decision contains specific standard contractual clauses also concerning subsequent transfers of personal data as performed by a data processor (data importer) established in a third country which does not ensure an adequate level of protection to another data processor established in a third country which does not ensure an adequate level of protection (so-called sub-processor),  based on a specific contract (so-called sub-contract) entered into by the aforementioned entities;

Whereas "sub-processor" means any processor engaged by the data importer or by any other sub-processor of the data importer and who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for the processing activities to be carried out on behalf of the data exporter after the transfer in accordance with the data exporter´s instructions, the standard contractual clauses set out in the Annex to the aforementioned decision, and the terms of the written contract for sub-processing (Article 3(e) and Clause no. 1, letter d), of decision no. 2010/87/EU);

Whereas the Commission´s decision lays down the conditions to ensure that "the personal data being transferred continue to be protected notwithstanding the subsequent transfer to a sub-processor" as performed on the basis of a sub-contract, and also provides that the latter should only apply to the processing operations set out in the contract between the data importer and the data exporter incorporating the aforementioned standard contractual clauses and should not refer to different processing operations or purposes so that the purpose limitation principle laid down in directive 95/46/EC is respected (see Recitals 17 and 18 of decision no. 2010/87/EU);

Whereas the Commission´s decision provides, in particular, that in the event of a sub-contract the data importer undertakes to inform the data exporter and obtain its prior written consent, failing which consent the data importer may not sub-contract any of its processing operations performed on behalf of the data exporter (Clause 5, letter h), and Clause 11, paragraph 1, of decision no. 2010/87/EU);

Whereas, furthermore, if the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it is required to enter into a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses; whereas this requirement may be satisfied by the sub-contractor co-signing the contract entered into between data exporter and data importer (Clause 11, paragraph 1, of decision no. 2010/87/EU);

Noting, additionally, that the data importer undertakes to send copies of the contracts concluded to the data exporter and the data exporter undertakes in turn to keep an updated list of the said sub-contracts and make it available to the respective supervisory authority (Clause 5, letter j), and Clause 11, paragraph 4, of decision no. 2010/87/EU);

Noting, furthermore, that the European Commission, partly in the light of the opinion rendered by the Article 29 Working Party (see paragraph 1.1. of Opinion no. 3/2009, Document WP161, dated 5 March 2009), has left Member States free to take account of the circumstance that the decision to sub-contract to a sub-processor is subject to "the principles and safeguards of the standard contractual clauses set out in this Decision […] with the intention of providing adequate protection for the rights of data subjects whose personal data are being transferred for sub-processing operations" in the event a data processor established in the European Union which processes personal data on behalf of a data controller established in the European Union sub-contracts the processing to a sub-processor established in a third country which does not ensure an adequate level of protection (Recital no. 23 of decision no. 2010/87/EU);

Whereas EU Member States are required to take the necessary measures to comply with the Commission´s decision pursuant to Article 26(4) of the directive;

Having regard to section 44(1)b. of legislative decree no. 196 dated 30 June 2003 (Personal Data Protection Code), whereby personal data may be transferred to non-EU countries if this is authorised by the Italian data protection authority based on adequate safeguards for data subjects´ rights as determined by the Commission´s decisions mentioned in Articles 25(6) and 26(4) of directive 95/46/EC;

Noting that this Authority by its decision no. 3 dated 10 April 2002 had authorised the transfer of personal data to data processors established in third countries pursuant to the standard contractual clauses attached to the decision dated 27 December 2001 (no. 2002/16/EC), which was subsequently repealed by the Commission via its decision no. 2010/87/EU;

Considering that the standard contractual clauses contained in the Annex to decision no. 2010/87/EU, which was issued by the Commission on 5 February 2010, also provide for safeguards applying to data subjects´ rights and such safeguards may be regarded as adequate under the terms of the aforementioned section 44(1)b.;

Considering it necessary to further publicize the standard contractual clauses contained in the Commission´s decision no. 2010/87/EU by having them published in Italy´s Official Journal as an Annex to this authorisation;

Considering it necessary to lay down requirements in respect of the information to be made available to this Authority on account of the tasks  it is called upon to discharge, which are also mentioned in the said Commission´s decision, to the extent this is necessary in the initial implementing stage of this authorisation and under the terms set out hereinafter;

Considering that this Authority reserves the right to decide on a case by case basis whether to act as a mediator in pursuance of Clause 7, paragraph 1, letter a), of decision no. 2010/87/EU;

Subject to the setting forth of additional criteria and arrangements based on the experience gathered in applying the Clauses, also at Community level;

Having regard to the records on file;

Having regard to the considerations made by the Office as submitted by the Secretary General under Article 15 of the Garante´s Rules of Procedure no. 1/2000;

Acting on the report submitted by Professor Francesco Pizzetti;

NOW, THEREFORE, THE ITALIAN DATA PROTECTION AUTHORITY

1. Without prejudice to such additional provisions as may be laid down in Italy´s Personal data protection Code, authorises hereby the transfer of personal data as from 15 May 2010 to non-EU countries in pursuance of the standard contractual clauses attached to the European Commission´s decision dated 5 February 2010 (no. 2010/87/EU) as well as in accordance with the preconditions set forth in the aforementioned decision (Article 6 of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU), including the cases in which a data processor established in the EU that processes personal data on behalf of a data controller established in the EU sub-contracts the processing to a sub-processor established in a third country which does not ensure an adequate level of protection (Recital no. 23 in the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

2. Repeals the Italian DPA´s decision no. 3 dated 10 April 2002 concerning standard contractual clauses for the transfer of personal data to data processors established in third countries as from the aforementioned date (see Article 7(1) of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

3. Orders that

a. The contract concluded between data exporter and data exporter prior to 15 May 2010 under the terms of the DPA´s decision no. 3 dated 10 April 2002 shall remain in force and effective for as long as the transfers and the data processing operations that are the subject of the said contract remain unchanged and personal data covered by this authorisation continue to be transferred between the parties (see Article 7(2) of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

b. A copy of the contract related to the transfer and any other necessary information shall be provided to the Italian DPA only if the latter so requests (section 157 of the Personal data protection Code and Clause 8, paragraph 1, of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

c. The data exporter shall notify the Italian DPA of the sequential appointment of more than one sub-processor following adoption of the standard contractual clauses as per this authorisation (see section 157 of the Personal data protection Code);

d. The data exporter shall notify the Italian DPA of the choice made by the data subject in case a dispute cannot be settled amicably to refer the dispute either to an entity other than the Italian DPA or to judicial authorities (Clause 7, paragraph 1, letter a) of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

4. Reserves the right to perform any necessary controls on lawfulness and fairness of the data transfers and to order the transfer(s) to be blocked and/or banned in accordance with the Personal data protection Code and Community legislation (see Section 154(1)a. and d. and Article 4 of the European Commission´s decision dated 5 February 2010, no. 2010/87/EU);

5. Orders this authorisation and the attached European Commission´s decision to be forwarded to the Ufficio pubblicazione leggi e decreti of the Italian Ministry of Justice in order for them to be published in the Official Journal of the Italian Republic.

Done in Rome, this 27th day of the month of May in the year 2010

THE PRESIDENT
Pizzetti

THE RAPPORTEUR

Pizzetti

THE SECRETARY GENERAL
De Paoli