30 September 2010
A company wishing to transfer data outside of the European Union (EU) has different possibilities to guarantee a data protection level similar to what it has in Europe, which would make the transfer permissible. Of these, the European Commission’s standard contractual clauses have proven valuable, as they are not subject to the authorization requirement by the supervisory authorities.
However, the European Commission has passed new standard contractual clauses for commissioned data processing, the use of which is compulsory for new commissioned data agreements as of May 15, 2010. Prior agreements must be adjusted if the manner of the commissioned data processing changes. For the first time the new standard contractual clauses permit subcontracting; this is, however, subject to stringent requirements.
Recently, the EU passed new standard contractual clauses for the transfer of personal data to commissioned data processors located in countries outside of the European Union (EU) and the European Economic Area (EEA)— so-called third countries. As of May 15, 2010, the former contractual clauses provided by the EU Commission may no longer be used. The EU standard contractual clauses are probably the most-used instrument in order to legitimize the transfer of personal data to third countries. This overview shows which requirements are set out for cross-border data transfers and how companies can fulfill these requirements.
Meaning of Commissioned Data Processing for European Companies
It is often an economic necessity for German companies to transfer personal data to recipients in third countries. Reasons for this need include outsourcing projects, centralized databases and joint ventures.
When European companies enter into information technology (IT) outsourcing agreements with service providers in third countries, the service provider often gets access to personal data (e.g., data on the instructing company’s employees). From a legal point of view such facts present a transfer of personal data into a third country. According to Sections 4b and 4c of the Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG), such cross-border transfers are only permitted under strict provisions.
The Term “Transfer”
Transferring is providing data to a third party. A third party is any person or agency which is not part of the transferring company. In business, third parties are, for example, employees of other companies or other persons from outside of the principal company. The German data protection laws stipulate the same requirements for the transfer of data within the same group of companies as for every other transfer; it does not recognize a privilege for the group of companies.
A transfer can also be both passing personal data to a third party and keeping data available for a third party to view or to request on demand. The data is transferred to the third party as soon as the third party views or demands the data.
Stringent Requirements for the Permissibility of Transfers
German data protection authorities examine the permissibility of a data transfer into third countries via a two-level evaluation.
FIRST LEVEL PERMISSIBILITY EXAMINATION
In the first level evaluation, the data protection authorities will determine whether the planned transfer of personal data to a third party would be permissible according to the BDSG’s common standards. Generally, the BDSG prohibits handling personal data, unless a statutory regulation or a valid consent by the affected person permits this handling of data.
A typical example of transferring personal data in accordance with the BDSG’s common standards is if the transfer is required to maintain the legitimate interest of a company according to Section 28 Subsec. 1 Sent. 1 No. 2 BDSG. Additionally, there may not be any reason to assume that the affected person whose data is being transferred has a legitimate interest in excluding the transfer which outweighs the company’s interest. The company must have a legitimate economic interest for the transfer. For example, lowering costs can certainly be such a necessary business reason.
Furthermore, a transfer according to Section 28 Subsec. 1 Sent. 1 No. 2 BDSG can only be effected if it is “necessary” to maintain the economic interest. That means that the transferring company can only transfer the data that is truly necessary to realize the legitimate business purpose.
The most important part of this legal examination is to determine whether the interests of the persons affected by the transfer are adequately protected. At this time the authorities weigh the company’s interests against those of the person whose data is to be transferred.
In practice, for example, it is recommended that companies look for precedents for permissible transfers (such as from adjudication, or activity reports by the state’s supervisory authorities) and to use these standards as an orientation.
If all of these requirements are fulfilled, then the transfer to another company in Germany, the EU or the EEA are permissible. The transfer to another company in a third country is, however, only permissible under stringent requirements. These are detailed below.
SECOND LEVEL PERMISSIBILITY EXAMINATION
Even if a transfer of personal data is permissible within Europe according to the BDSG’s common standards, this does not mean that the transfer automatically would be permissible to a third country without an adequate level of protection. Here, Section 4c BDSG states far more stringent requirements than those that apply to intra-German or intra-European transfers. Therefore, an adequate data protection level through additional means must be created in order to permit the transfer, or there must be an exception regulation, which permits the data transfer even without a previous creation of an adequate data protection level.
Companies often use the standard contractual clauses passed by the EU Commission in order to fulfill these requirements. In contrast to those binding company provisions named in Section 4c Subsec. 2 Sent. 1 BDSG Binding Corporate Rules [BCRs] the EU standard contractual clauses do not need to be authorized from the responsible supervisory authority in order to facilitate a permissible data transfer into third countries.
These binding standard contractual clauses seek to establish a uniform standard in order to facilitate cross-border data transfers into third countries in a timely manner without bureaucratic delay. In the past, data protection supervisory agencies held different positions on whether standard contractual clauses needed to be presented to the supervisory authority individually or even needed to be examined and authorized at all.
The so-called Düsseldorfer Kreis determined that by using the standard contractual clauses completely and unchanged, there is neither an obligation for authorization from nor an obligation for disclosure to the supervisory authorities. The Düsseldorfer Kreis is the joint panel for the data protection supervisory authorities of the individual federal states. In Germany, the representatives of the supervisory authorities for the private sector are organized at state level and together form the Düsseldorfer Kreis. Therefore, usually the decisions rendered by the Düsseldorfer Kreis are decisive for the supervisory authorities.
The Different Types of Standard Contractual Clauses
Prior to the new standard contractual clauses decision, the EU Commission had decided on three sets of standard contractual clauses. The first two, dated June 15, 2001, and December 27, 2004, refer to “normal” transfers to another competent authority in a third country. The third set of standard contractual clauses for the transfer of personal data to commissioned data processors, dated December 27, 2001, deal with data transfer to data processing service providers that process data in commission for the data controller. Section 11 BDSG covers making personal data available to commissioned data processors in an intra-German or intra-European connection. Such a commissioned data processing in third countries is, however, not envisioned by Section 11 BDSG.
The previous standard contractual clauses for commissioned data processing in third countries are no longer applicable for agreements concluded as of May 15, 2010. However, agreements with the old standard contractual clauses which are already concluded remain valid and do not need to be automatically amended to fit the EU Commission’s decisions. If, however, the contracting parties wish to agree upon changes to existing agreements regarding commissioned data processing in third countries, or if the principal wishes to award a subcontract, then the parties must conclude a new agreement using the new standard contractual clauses.
New Requirements for Cross-Border Commissioned Data Processing
REQUIREMENTS FOR SUBCONTRACTOR RELATIONS
Currently, under certain circumstances, the agent can enter into subcontractor relations on the basis of the new standard contractual clauses. That was not ruled in the previous standard contractual clauses for the transfer to commissioned data processors in third countries. The lack of such a regulation in the old standard contractual clauses was severely criticized.Such subcontracting is, however, subject to certain permissibility requirements:
- Before entering into a subcontract the principal must agree to it in writing.
- This agreement must obligate the subcontractor in the same manner that the agent in the main agreement is obligated.
- The agent must remain fully liable to the principal for all contractual violations by the subcontractor. Agent and subcontractor must agree upon a so-called third party beneficiary clause (Drittbegünstigtenklausel), under which affected persons must also be able to assert claims for damages against the subcontractor, if necessary.
- The law of the country in which the principal is based must also be the applicable law, just as in the old standard contractual clauses. The data protection laws applicable to the principal must now also apply to data processing by the subcontractor. If a German company transfers data to an agent in a third country who, in turn, passes on some of the data to a subcontractor, then German law also applies to the agreement between the agent and the subcontractor.
- Additionally, the contractual relations with the subcontractors must be carefully documented. The agent must both inform the principal and obtain written authorization prior to a subcontracting, and must also provide the principal with additional copies of the subcontracts.
- Finally, the principal must annually maintain a current index of the agreements with subcontractors and make this index available to the relevant supervisory authorities. It is not clear whether this can be merely a list of the existing subcontracts, or whether the index must also contain the respective clauses. However, it can be assumed that the agent does not need to disclose the agreements with the subcontractors. According to the opinion of the Düsseldorfer Kreis the principals do not need to disclose to the supervisory authorities the standard contractual clauses between principal and agent. Therefore, this suggests that a subprincipal does not need to disclose the standard contractual clauses executed with the sub-agent, which must contain the same provisions as those of the concluded standard contract clauses of the relationship.
APPLCABLE LAW FOR THE DATA PROCESSING CONTRACT
The standard contractual clauses only refer to data protection law provisions. A complete agreement regarding commissioned data processing in a third country must also cover substantial economic aspects, which the principal and agent can determine in the remaining agreement.¹ The wording of the standard contractual agreement and the recitals by the EU Commission prescribe that the standard contractual clause (which refers to data protection in transfers) is subject to the law of the country in which the principal is based. Now, data processing contractors are also subject to the principal’s applicable data protection laws. However, it is possible to have the other (economic) provisions be subject to another legal system by making the standard contractual clauses a separate appendix to an outsourcing or service agreement. This appendix can then—regardless of the main agreement—be subject to the law of the country in which the principal is based. It remains to be seen what position the supervisory authorities will take regarding this procedure.
Implementation of the New Standard Contractual Clauses in Contractual Changes
The supervisory authorities will probably apply a more stringent measure regarding whether the old standard contractual clauses may be further used or the new standard contractual clauses must be implemented because there was a minor change to the existing agreement. It can be expected that every amendment of the agreement will be assessed as a contractual amendment within the meaning of the EU Commission’s decision.
Whether such a minor change applies to agreements that consist of numerous contracts is not easy to answer, especially regarding comprehensive IT service agreements which, for example, deal with data processing in an EU/EEA foreign country. Such agreements usually consist of a master services agreement and numerous appendices, which define the subject matter of the agreement more closely regarding definitions, statements of work, service level agreements, pricing terms and other comparable provisions.
Effects on Companies
Companies should respond to this changed legal situation by thoroughly examining whether and how they should use the new standard contractual clauses. Existing contractual clauses should be examined to determine if changes to contract terms, appendices or amendments can require the use of the new clauses. Companies must also ascertain the scope of the contractual changes. Failure to take these steps can cause penalties, claims for compensation damages and, above all, substantial injury to reputation if it appears the company is not serious about data protection.
1. EU Commission, Decision 2010/87/EU, recital 4, ABl. EG Nr. L 39 dated February 12, 2010, 5(5).