More Space for Offshoring of Personal Data Processing
Since a few years the outsourcing of administrative processes,
for example in the fields of human resources and accounting, has
been growing in popularity. Governments and the corporate sector
can realize attractive cost savings especially by offshoring data
processing to low-wage countries such as the former colonies India
and Pakistan, where the quality of service provision is high and
the population has a good command of English. The Personal Data
Protection Act imposes obligations on the parties involved in
outsourcing. Especially in the case of offshoring, these
obligations are experienced as obstructive,. Recent developments
seem to create more space for the offshoring of personal data
processing.
Outsourcing and Protection of Personal Data
The outsourcing of administrative processes usually involves
(also) the processing of personal data, for example data of staff
members, shareholders and (potential) customers. For this reason
the requirements set out in the Personal Data Protection Act
("PDPA") must be complied with. Under the PDPA the
service provider will usually be designated as the
"processor" of personal data and the client will be
designated as the "controller". The controller is in
control of the processing of personal data. He determines whether
data are processed - and if so, which data - for what purpose and
for how long. The processor processes the personal data for the
controller, on the orders and under the responsibility of the
controller.
Pursuant to the PDPA, the responsible client must enter into a
written processing agreement with a processor, which agreement must
set out, among other things, that the processor shall only process
personal data on the orders of the controller, that he is obliged
to observe secrecy and to implement appropriate security measures.
Service providers specializing in outsourcing have often already
included the required provisions on processing in their contracts
and general terms and conditions. However, clients should bear in
mind that they have to comply with all obligations under the PDPA.
For example, they themselves have to notify the data processing to
the Dutch Data Protection Authority (the "Dutch DPA") and
to inform the data subjects of the processing. After all, the
controller remains fully responsible and liable for compliance with
all statutory obligations. This rule applies particularly in the
case of offshoring of the data processing.
Offshoring of
the Data Processing
If the eventual processing of personal data takes place in a
country outside the European Economic Area that does not offer an
appropriate level of protection to personal data, the rules in the
PDPA for the transfer of personal data must be complied with. This
means that, barring exceptions, it is necessary to apply for a
permit for the transfer with the Ministry of Justice. The
application must be filed with the Dutch DPA, which assesses the
permit application and then advises the Minister whether or not to
grant the permit.
The Minister may grant a permit for transfer if the recipient of
the data in the "third country" has implemented
appropriate measures to protect the personal data in its territory.
For this purpose the parties may use the standard contractual
clauses for the transfer of personal data to processors established
in a third country as approved by the European Commission pursuant
to Directive 95/46/EC (2002/16/ EC). These standard contractual
clauses are tailored to the situation in which the controller is
established in the Netherlands (or in another country within the
EEA) and the processor in a "third country". They can
therefore be useful if a client in the Netherlands contracts the
offshoring directly with a service provider in a third country.
However, practice shows great variations in service providing. For
example, clients in the Netherlands often call in service providers
that are also established in the Netherlands. This service provider
subsequently outsources the processing to a branch of its own or to
a third party in a low-wage country. The standard contractual
clauses are not tailored to this transfer of personal data by a
processor in the Netherlands to a subprocessor in a third country
without an appropriate level of protection.
The PDPA requires that the contract on the transfer is concluded
between the responsible client and the eventual recipient of the
data in the third country. The service provider in the Netherlands
de facto exporting the data slips out in the middle, as it were.
This form of offshoring of data processing implies a complex legal
puzzle that is hard to explain or sell to clients. A new
development is that the Dutch DPA is willing to negotiate with the
service provider in the Netherlands about offshoring to a
subprocessor in a third country.
Role of Processor in
Obtaining Permit for Transfer to Subprocessor in Third
Country
Service providers in the Netherlands that outsource data
processing to a subprocessor in a third country may negotiate with
the Dutch DPA about a solution. Such solutions are always
customized, geared to the concrete situation. Under certain
circumstances the Dutch DPA will accept that a processor providing
services acts as a co-controller for the transfer and in that
capacity concludes the standard contract clauses with the
subprocessor and applies for a permit. The Dutch DPA sets multiple
preconditions that may differ from case to case. The starting point
is and remains that the underlying clients are also responsible for
the transfer and are bound by the standard contract clauses. The
processor providing services will therefore have to present a list
of its clients to the Dutch DPA regularly. If all conditions are
met, those clients may 'ride free' with the permit that was
obtained by the processor providing services. For the offshoring
practice, this is an important breakthrough.