Recently the Article 29 Working Party, an independent advisory body composed by the representatives the EU Member States’ data protection authorities, issued a working document on draft model clauses for the international transfer of personal data from a EU data processor to a non-EU sub-processor.
The transfer of data is becoming an increasing relevant matter for a large number of companies. Up to date, the European Commission only approved model clauses governing controller-to-controller and controller-to-processor transfers. With regard to model clauses controller-to-processor (Decision 2010/87/EU), the Commission underlines that a non-EU processor can subcontract any of its processing operations exclusively upon an explicit consent of the controller and provided that a customized written agreement is executed with the sub-processor.
A customized data transfer agreement processor-to-subprocessor may offer less legal security for the data subject and be subject to burdensome approval processes from the competent authorities (which, in certain cases, may challenge the adequacy of the agreement).
The draft does not constitute a new official set of model clauses, but exclusively a proposal for the European Commission (albeit the European Commission generally take such proposals well into account!). The draft – where adopted by the Commission – would no doubt guarantee a higher level of transparency and accountability with regard to the transfer of data between various sub-contracting processing entities. A pre-approved set of contractual provisions would also avoid for the involved parties the negotiation complex data protection clauses each time a contract is entered into by the same parties, thus ensuring compliance with data protection laws with a likely reduction of costs for contract negotiations.
We look forward to seeing whether the European Commission will take propt action, simplifying the current (outdated) procedures to transfer data.