Date post: | 19-Jan-2015 |
Category: |
Technology |
Upload: | sonera |
View: | 477 times |
Download: | 0 times |
OUTSOURCING AND TRANSFER OF PERSONAL DATA
7. Information Security Training Program Aalto University/ Aalto Pro 16.01.2012 Titta Penttilä
2
SUMMARY
Author
Titta Penttilä, LL.M.,
Senior Security Manager
Date and place
16.1.2012, in Helsinki, Finland
Course
Aalto University / AaltoPro: 7. Tietoturvallisuuden koulutusohjelma
(7. Information Security training program)
Title
OUTSOURCING AND TRANSFER OF PERSONAL DATA
Outsourcing of business activities within EU and also to third countries is becoming a
natural part of today’s business operations. The concept of personal data is very wide
and therefore the aspects regarding transfer of personal data are relevant in most of the
outsourcing cases.
Personal data directive from the year 1995 forms the current foundation of regulation in
the EU Member States. The first part of this study concentrates on the description of the
regulative framework and the second part gives more practical information on taking
personal data aspects into account on each phase of outsourcing activity.
Search words: Outsourcing, personal data, privacy, data protection
3
Table of contents
1 Introduction .............................................................................................................................. 4 2 Regulation ............................................................................................................................... 5
2.1 Fundamental rules of European Union .............................................................................. 5 2.2 European Union directives ................................................................................................ 6 2.3 Commission decisions, opinions and recommendations of the Working Party ................... 6 2.4 Finnish regulation .............................................................................................................. 7 2.5 Applicable law ................................................................................................................... 7 2.6 The new legal framework for the protection of personal data in the EU ............................. 8
3 Terminology ........................................................................................................................... 11 3.1 Personal Data ................................................................................................................. 11 3.2 Outsourcing ..................................................................................................................... 13 3.3 Controller ......................................................................................................................... 14 3.4 Processor ........................................................................................................................ 15
4 Transfer of personal data from controller to processor ........................................................... 16 4.1 What determines a transfer of personal data? ................................................................. 16 4.2 General principles on processing of personal data .......................................................... 17 4.3 Transfers within Finland and the EU/EEA ........................................................................ 19 4.4 Transfers to third countries from the EU/EEA .................................................................. 21
4.4.1 General aspects ........................................................................................................ 21 4.4.2 The alternative ways of proceeding ........................................................................... 21
4.4.2.1 Adequacy assessment ....................................................................................... 21 4.4.2.2 Specific situations and conditions ....................................................................... 23 4.4.2.3 Standard contractual clauses approved by the Commission ............................... 25 4.4.2.4 Adequate safeguards adduced by the controller ................................................. 28
5 Outsourcing lifecycle and data protection ............................................................................... 29 5.1 Preparation phase ........................................................................................................... 29
5.1.1 Developing the business case ................................................................................... 29 5.1.2 Choosing the partner ................................................................................................ 31 5.1.3 Agreeing with the partner .......................................................................................... 32
5.2 Implementation phase ..................................................................................................... 33 5.3 Operation phase .............................................................................................................. 33 5.4 Review and Exit phase .................................................................................................... 34
6 Conclusions ........................................................................................................................... 35 BIBLIOGRAPHY
4
1 Introduction
Outsourcing of business operations or functions has become an increasingly growing
trend and a natural part of today’s business operations. When considering outsourcing
information security and privacy aspects are an essential part, since outsourcing nearly
always involves transfer of information to the outsourcing partner. Most of the time
information includes also personal data (e.g. concerning customers or employees).
Processing and transferring personal data is regulated on the European Union (EU) and
national level. One major issue when planning outsourcing is to understand the
demands of regulation and risks involved. When operating on national or even EU level
the concept is rather clear, but if operations are outsourced outside of the EU to so
called third countries the legal requirements are much more complex and leave room for
interpretation.
In this study my target is to first describe the regulatory background, requirements and
possible ways to go forward and then take more practical view on how transfer of
personal data to an outsourcing partner should to be taken into account in each phase
of the outsourcing lifecycle. The first part is mainly based on literature and official EU
documents and the more practical latter part includes also information based on my own
experiences as legal counsel and senior security manager.
Since my aim is to cover outsourcing situations, I have limited the scope to include only
transfers of personal data from a controller to a processor (i.e. from a company to an
outsourcing partner that processes personal data on behalf of the company in question)
and I won’t be looking into issues related to the controller- to-controller or intra-company
transfers (e.g. Binding Corporate Rules). In addition I am looking into the issue from the
EU perspective and only including aspects related to transfers originating from the EU
i.e. transfers within a Member State, to another Member State or to a third country and
using Finland as an example.
The main emphasis is put on the EU level regulation, since that forms the basis on
regulation in all Member States already now and even more strongly in the future. There
is a comprehensive EU data protection law reform currently on going in the EU, which
will also have an impact on the transfer of personal data in outsourcing cases. I have
therefore included a brief glance on the future regulation proposal. The perspective of
this study is juridical and administrative, therefore no technical aspects are covered.
5
2 Regulation
2.1 Fundamental rules of European Union
The European Union is founded on two constitutive treaties: the Treaty on European
Union and the Treaty on the Functioning of the European Union, which both have the
same legal value.
The Treaty on the Functioning of the European Union organizes the functioning of the
Union and determines the areas of, delimitation of, and arrangements for exercising its
competences1 and it includes also provisions related to protection of personal data.
Article 16 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.
As referred to in the above mentioned article 16 the Treaty on European Union states
that the Council shall adopt a decision laying down the rules relating to the protection
of individuals with regard to the processing of personal data by the Member States
and the rules relating to the free movement of such data.2
Moreover, the protection of personal data is stated as one of the fundamental rights and
commonly shared values adopted in the Charter of Fundamental Rights of the
European Union (2010/C 83/02) 3 recognized in the Treaty on European Union.4
Article 8, Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
The Treaty on European Union also declares that the Union shall accede to the
European Convention for the Protection of Human Rights and Fundamental Freedoms,5
1 Official Journal of the European Union C 83: Consolidated version of the Treaty on the Functioning of the European Union,
art. 1 2 Official Journal of the European Union C 83, art. 39
3 Official Journal of the European Union C 83, p. 389
4 Official Journal of the European Union C 83: Consolidated version of the Treaty on European Union, art. 6
5 Official Journal of the European Union C 83/19: Consolidated version of the Treaty on European Union, art. 6
6
which includes also a principle that everyone has the right to respect for his private and
family life, his home and his correspondence.6
The protection of the personal data and personal life is therefore regulated on a
fundamental level in many different binding European Union regulations, which may be
overlapping. However, they aim towards the same target: ensuring protection of
personal data.
2.2 European Union directives
The EU directives describe a target that must be achieved in every Member State, but
each Member State may choose how it implements the directive in the national law.7
The Data Protection Directive was adopted in October 1995. The Directive has a
twofold objective derived from the targets of the European integration: to ensure a free
flow of personal data from one Member State to another and on the other hand to
safeguard the fundamental rights (i.e. right to privacy and data protection) of
individuals.8
In principle the directive applies to all processing of personal data. It includes rather
detailed provisions on the lawfulness of the processing personal data, juridical
remedies, liability and sanctions as well as on transfer of personal data to third
countries, which will be described later in the chapter 4.4.
European Commission is preparing a revision of the legal framework for data protection
to meet the new demands of rapid technological developments and globalization that
have changed the world and thus brought new challenges. 9 The aim is to propose a
new General Data Protection regulation that is briefly described later in the chapter 2.6.
There are also other more sector specific directives such as Directive on privacy and
electronic communications that concerns processing of personal data in the electronic
communications sector.10
2.3 Commission decisions, opinions and recommendations of the Working Party
The Commission decisions relevant in the context of this study are:
6 European Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8
7 European Comission, http://ec.europa.eu/eu_law/introduction/what_directive_en.htm
8 OJ L281, Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to the
processing of personal data and on the free movement of such data, art. 1. 9 Communication from the Commission to the European Parliament, The Council, The Economic and Social Committee and the
Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609, Bussels, 4.11.2010, p.2. 10
OJ L 201, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic communications sector.
7
- findings on an adequate level of protection in certain third countries.
- standard contractual clauses sufficient in safeguarding the adequate level of
protection when transferring personal data to third countries.
These are described in more detail later in Chapters 4.4.2.1 and 4.4.2.3.
A working party is set up based on the Personal Data Directive. It is composed of
national data protection authorities, representatives of the Community institutes as well
as a representative of the Commission. The Working party has an advisory status and it
may make recommendations on all matters relating to the protection of persons with
regard to the processing of personal data in the EU.11
2.4 Finnish regulation
The Constitution of Finland (731/1999) guarantees the right to privacy.
Section 10 - The right to privacy Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.
Finland has implemented the Personal Data Directive by adopting the Personal Data
Act (523/1999), which entered into force in June 1999. The new act replaced the former
Personal Data File Act from the year 1988, but the main principles remained the same.
Other focal more sector specific privacy laws are Act on the Protection of Privacy in
Electronic Communications (516/2004), which was enacted based on the Directive on
privacy and electronic communications as well as Act on the Protection of Privacy in
Working Life (759/2004), whose target is to promote the protection of privacy and other
basic rights safeguarding the protection of privacy in working life.
2.5 Applicable law
The general rule is that the law of the Member State where the controller is located is
applied to the processing of personal data regardless of where or by whom the data is
processed.12 In outsourcing situations the company outsourcing its operations stays in
control of the data and the outsourcing partner may process the data only on behalf of
the company and according to its instructions. Therefore the company remains as the
controller and the outsourcing partner is a processor, which means that the law of the
Member State where the company outsourcing its operations is located is applied even
when the processing is performed by an outsourcing partner in another Member State
11
Personal Data Directive art. 29 and art 30. 12
Personal Data Directive, art. 4.
8
or in a third country. Moreover the transfer of data does not free the controller from its
obligations, instead the controller will continue to be liable under that Member State law
for any damage caused as a result of an unlawful processing of personal data. The
controller may however be able to recover losses in a separate legal action against the
processor based on the outsourcing agreement.13
Notwithstanding the general rule presented above there can be requirements in the law
of the country, where the processor is located, that may override the national law of the
controller, thus enabling disclosure of personal data to the state e.g. to the police.
Within the EU this possibility is restricted to those disclosures that are necessary in
democratic societies for one of the “ordre public” reasons stated in the Personal Data
Directive. However in the third countries similar restrictions may not be in place.14
The rules of applicable law are not always clear and there is an unfortunate possibility of
conflicts of law especially when many Member States are concerned (e.g. a
multinational company established in several Member States provides services). Ever
increasing globalization and technological developments also add to the complexity.
Commission has stated that it will examine how to revise and clarify the existing
provisions on applicable law in order to improve legal certainty and clarify Member
State’s responsibility. The ultimate goal is to provide the EU citizens the same degree of
protection regardless of the geographic location of the data controller.15
2.6 The new legal framework for the protection of personal data in the EU
A draft version of the proposal for the new General Data Protection Regulation was
leaked in the beginning December 2011, even though it was supposed to be published
not until January 2012. Since the official proposal is not available when writing this
paper, I refer below to the unofficial draft.
Contrary to the current Personal Data Directive the new framework is to be based on a
regulation and is therefore directly applicable without national implementation. The main
challenges with the current framework have not been its objectives or principles that are
still to remain quite the same, but fragmentation of the implementation across the
13
Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of
personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 18 – 19 and p. 21. 14
Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of
personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 21. 15
European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social
Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 11.
9
Member States and legal uncertainty added by rapid technological development and
ever increasing global business activities. The proposed regulation is aimed tackle the
current challenges by introducing a solid and strong foundation for data protection and
moving towards full harmonization. 16
The main issues of the data protection reform as described by Viviane Reding, the EU
Justice Commissioner, are the following:
- Increased transparency demand and control of the citizens regarding their
personal data.
- Privacy by design meaning that services should include built-in privacy features.
- Obligation to notify of data breaches to authorities and users (previously set only
to telecom operators).
- Right to data portability meaning that users should not be locked-in to a certain
service, but the service provider must enable transfer of user’s personal data to
another service.
- Making the EU legal framework simplier to the businesses by eliminating
unnecessary costs and administrative burdens and creating a level playing field
for the companies.
- Supporting the international transfers so that there is one single set of rules for
transfers of personal data to third coutries and no additional national conditions.
- Emphasizing the importance of trust and encouraging innovations.17
The new draft regulation clarifies to a certain degree the applicable law issue in
outsourcing situations. Within the EU the new regulation would harmonize and unify the
rule set in different Member States since local differences within the scope of the
regulation would no longer accepted due to its direct application nature. However, how
much room of interpretation is left for the national authorities and what is the role of the
new European Data protection Board will remain to be seen.
Moreover, “all processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union should be carried out in
accordance with this [new] regulation, regardless of whether the processing itself takes
16
European Commission, Proposal for a regulation of the European parliament and of the Council on the protection of individuals
with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), version 56, 29/11/2011, Explanatory memorandum, p.3.
10
place within the Union or not”.18 It is thus clearly stated that personal data shall continue
to be subject to EU regulation even though it is prosessed in a third country.
The main elements of transfer of personal data to third countries are to remain similar to
the current ones. The transfer may be based on an adequacy decision made by the
Commission and the proposal clarifies the matters that the Commision needs to take
into account when making a such assessment. If an adequacy decision does not exist,
the transfer may happen by way of introducing appropriate safeguards e.g. using
standard data protection clauses adopted by the Commission. As today there is also the
third alternative to rely on specific degorations stated in the proposed regulation.
A new approach is that the concept of binding corporate rules - that so far has been a
possible tool when transferring personal data within a group of companies - is now
proposed to be broadened to cover also a group of undertakings and its members. 19 It
is uncertain whether an outsourcing relationship could be considered to form such a
group of undertakings that is meant by the proposed regulation.
Unfortunately, the new proposal does not seem to bring concrete answers or solutions
to new international phenomena such as cloud services. The interest has so far been
more towards protecting citizens rights than enabling companies to take advance on the
cloud computing possibilities. However, there will be a European Cloud Computing
Strategy launced during year 2012 that covers also the legal framework related
matters.20
17
Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-table high level conference on
Mobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011. 18
General Data Protection Regulation draft, recital 13. 19
General Data Protection Regulation draft, Art. 40. 20
Towards Cloud Computing Strategy; http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm
11
3 Terminology
3.1 Personal Data
It is critical to understand the concept of the personal data in order to interpret the
applicable legislation and comply with it. The Data Protection Working Group has
scrutinized the concept in its opinion 4/2007, which is described below.
According to Data Protection Directive (95/46/EC) “the personal data shall mean any
information relating to an identified or identifiable natural person (“data subject”);
an identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity”.
The purpose of the Data Protection directive is to protect the fundamental rights and
freedoms (especially privacy) with regard to the processing of personal data. The
definition is intended to be broad and cover as a general rule any kind of information
that can be in a way or other related to an identified or identifiable person.21
The definition can be divided into four separate requirements that together form the
concept of personal data. First of all the definition refers to “any information”, which
clearly shows the intention of broad interpretation. The information may be subjective
information such as opinions and assessments (e.g. hard working, reliable payer) as
well as objective information (e.g. blood type) by nature. The information considered
personal data may even be false. Moreover the content of the information may be any
sort relating to the private, family or working life. From the point of view of the format or
where the information is stored, there are no limitations either. The information may e.g.
be alphabetical, numeral, stored on a computer hard drive or a video tape. Even a
sound (e.g. phone call recordings), image (e.g. video surveillance recordings) or
biometric data (e.g. fingerprints, vein patterns, behavioral characteristics such as a
particular way to walk or speak) is within the scope.22
Secondly the information has to “relate to” a person. Data relates to an individual if it
refers to the identity, characteristics or behavior of an individual or if such information is
used to determine or influence the way in which that person is treated or evaluated.23 In
order to consider information to relate to an individual three alternative elements can be
distinguished: content – information is given about a particular person (e.g. medical
21
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 4. 22
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 6 – 9. 23
Data Protection Working Party, Working document on data protection issues related to RFID technology WP 105, 19.1.2005, p. 8.
12
results relate to the patient), purpose – information is used or is likely to be used with
the purpose to evaluate, treat in a certain way or influence the status or behavior of an
individual, or result – information is likely to have an impact on a certain person’s rights
and interests. It is enough to have one of these alternative elements present. However,
a simplified general rule that can be used as a good starting point when assessing
whether or not information relates to an individual is that information which is about an
individual also relates to that individual.24
The third requirement is that the information relates to a natural person that is “identified
or identifiable”. As a general rule a person is identified when, within a group of persons,
the person is distinguished from all other members of the group. The context and
circumstances determine when certain identifiers are sufficient to achieve identification
(e.g. a common family name rarely is enough to identify person unless the group is
small, for example Penttilä from Corporate Security of TeliaSonera). An individual may
be identified directly, most commonly by name or indirectly by combining pieces of
information that may or may not be all retained by the data controller and thus
narrowing down to a single person.25
However, it is enough that a person is identifiable even though not yet identified. When
assessing whether a person is identifiable one should take into account all the means
likely reasonably to be used either by the controller or by any other person to identify
the person in question today or in the future during the whole lifetime of the data
processing (e.g. IP addresses can be with reasonable means related to identified
persons by internet access providers). The purpose of processing may indicate that the
data controller aims to identificate sooner or later the persons and therefore it is hard to
prove that there are no means likely reasonable to be used to identification (e.g.
purpose of video surveillance is in the end to identificate persons that have unlawfully
accessed premises).26
In outsourcing cases it may be enough that the outsourcing partner receives and
processes pseudonymised data. Pseudonymisation can be done e.g. by key-coding the
data so that each individual is given a code and the code and the identifiers of the
individual (e.g. name, personal ID) are kept separately. If the pseudonymised data is
transferred to the outsourcing partner, but the partner has no means likely reasonable to
24
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 10 – 11. 25
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 13. 26
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 15 – 16.
13
access the encryption key (the list that reveals link between a key code and individual)
or otherwise become aware of the identity of the persons, this transfer of data is not to
be considered as transfer of personal data.27 If data is anonymous in a sense that no
individual can be identified by the data controller or any other person taking into account
all the means likely reasonably to be used to identify that individual, the data is not
personal data. The analysis must be performed case-by-case basis considering the
circumstances now and during the whole life time of data processing.28
The fourth element of the definition is that the Data Protection Directive applies to
natural persons (i.e. human beings) without any restrictions related e.g. to the
nationality or residence. Data on dead persons is not considered as personal data in
principle, since the dead are no longer natural persons in civil law. However, there may
be some exceptions to that general rule in the national laws and in some cases the data
on a dead person may also relate to a living person and be therefore considered as
personal data.29 Information relating to legal persons (e.g. companies, associations etc.)
is not personal data, unless the data also relates to natural persons (e.g. corporate e-
mail address that is used by a certain employee). The Finnish Communications
Regulatory Authority has stated that the confidentiality of the communications remains
in force also after the party of the communications has died (e.g. the heir has no right to
receive a full itemization of the phone bill from the time period before death).
3.2 Outsourcing
There is no commonly agreed exact definition on outsourcing, however, in general the
term is used to describe the process of subcontracting services or goods from a third
party.
Information Security Forum members have in workshops agreed on the following
definition:
“Outsourcing is the transfer of the operation or creation of activities, services or facilities from an organisation to a third party provider. The responsibility for managing the arrangement lies with the organisation and delivery with the provider”.30
Offshoring is one type of outsourcing where
“those business functions that are carried out at a location outside of the organisation’s home state (country)”. 31
27
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 18 – 21. 28
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 21. 29
Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 22. 30
Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5. 31
Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5.
14
Black’s law dictionary defines an outsourcing agreement as follows:
“An agreement between a business and a service provider in which the service provider promises to provide necessary services, esp. data processing and information management, using its own staff and equipment, and usu. at its own facilities”.32
In TeliaSonera’s internal terminology outsourcing activity is divided into two separate
terms: outsourcing and sourcing of services. Outsourcing is defined as “one time activity
to transfer an outsourcing object to a supplier/partner” and sourcing of services begins
when “after completion of outsourcing activity TeliaSonera continues to buy services
from the supplier/partner”.
After the actual transfer of operations to the outsourcing partner, there is risk that the
interest in the outsourcing case decreases and the case is somewhat considered
closed. However, it is equally important to manage the period after the actual transfer
and ensure that the outsourcing partner fulfills the requirements set in the agreement
during the whole term of the agreement. Therefore in my study I will cover both the
outsourcing and sourcing of services phases.
3.3 Controller
According to the Data Protection Directive article 2 d “controller means the natural or
legal person, public authority, agency or any other body which alone or jointly with
others determines the purposes and means of the processing of personal data; where
the purposes and means of processing are determined by national or community laws
or regulations, the controller or the specific criteria for his nomination may be
designated by national or Community law.”
In practice the controller is the party that decides what data is collected and stored, the
purpose of the processing of data as well as the means. In other words the controller is
an organization that controls and is responsible for the personal data which it holds.33
The controller is also responsible for that the personal data is lawfully collected and
processed. In the outsourcing context the controller is the party that transfers its
operations to an outsourcing partner.
32
Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004, p. 1136.
33 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.10.
15
3.4 Processor
The Data Protection Directive (art. 2 d) defines the processor as “a natural or legal
person, public authority, agency or any other body which processes personal data on
behalf of the controller.”
In an outsourcing case the processor is the outsourcing partner to whom a controller
has outsourced its certain activities. The processor does not have an independent right
to process any personal data of the controller, since its rights are derived from the
controller, thus the processor acts always on behalf of the controller and according to its
instructions.
16
4 Transfer of personal data from controller to processor
4.1 What determines a transfer of personal data?
Personal Data Directive does not define what kind of activity equals to a transfer of
personal data. A transfer can be interpreted to cover all cases where a controller takes
action in order to make personal data available to a third party.34 The transfer and
disclosure of information are different in a sense that when information is transferred the
controller may also remain the same.35
The Finnish Data Protection Ombudsman has expressed that also establishing a
remote access to data equals to transfer even though the physical database is not itself
transferred36 (e.g. if a database is located in Finland, but it can be accessed remotely
from India, it is considered as transfer outside the EU).
However, it is not completely clear when a transfer occurs, for example, if a company
discloses contact information of its employees outside the EU or EEA (the European
Economic Area) over the phone, e-mail or internet, is that to be considered as a
transfer. The provision regarding transfer should be applied when transferring individual
pieces of data as well as large quantities.37 Moreover, the Court of Justice has stated
that there is no transfer of personal data to a third country where an individual in a
Member state loads personal data onto an internet page which is stored with his hosting
provider which is established in that State or in another Member State, thereby making
those data accessible to anyone connecting to internet, even outside the EU/EEA.38
In outsourcing cases it is often quite clear that personal data is transferred to an
outsourcing partner either by making data available via remote access or actually
transferring certain databases to be stored in data rooms at outsourcing partner’s
facilities. Even though the both alternatives are to be considered as a transfer, there is
difference on what kind of security requirements have to be set on the outsourcing
partner. The actual transfer of a database is a more critical case when assessing the
need of security controls and requirements.
34
Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.18. 35
Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut, luku 5
(Government proposal on Personal Data Act). 36
Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,
verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 11. 37
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.3. 38
Case C-101-01, Bodil Lindqvist, ECR, 2003, p. I-12971, see also question 3: http://www.datainspektionen.se/in-english/in-focus-
transfer-of-personal-data/#3
17
4.2 General principles on processing of personal data
Data Protection Directive and national laws based on it include various requirements on
collecting and other processing of personal data that are a responsibility of the
controller. These are briefly described below based on Finnish Personal Data Act and
Data Protection Directive in order to give some background information on the general
rules applicable on processing of personal data:
Duty of care
The controller as well as anyone operating on behalf of the controller shall process
personal data fairly, lawfully and carefully.
Planning obligation
The controller shall plan the purposes of the processing of personal data, the regular
sources of personal data and the regular recipients of recorded personal data shall be
defined before the collection of the personal data. According to Finnish Personal Data
Act the result of this planning has to be expressed in a description of personal data file
that is made available to anyone.
Exclusivity of purpose
Personal data may not be processed in a way incompatible with the purposes defined
before collection of the personal data.
Necessity requirement
The personal data processed must be adequate, relevant and not excessive in relation
to the purposes for which they are collected and processed and they may not be kept in
an identifiable form longer than is necessary for the purposes for which the data were
collected or processed.
Accuracy requirement
The personal data must be accurate and up to date and no erroneous, incomplete or
obsolete data are to be processed.
General prerequisites for processing
Personal data may be processed only if certain prerequisites for processing are met.
The most relevant applicable prerequisite from the point of view of a controller providing
services or goods to customers is the connection requirement i.e. processing is
necessary for the performance of a contract or taking steps prior to entering into a
18
contract. This applies e.g. to customers and employees of controller. However, one
must bear in mind all the other principles and requirements that have to be also fulfilled
in order to comply with regulation.
Other possible grounds for processing of personal data are e.g. unambiguous consent
of the data subject, the processing being necessary for compliance with a legal
obligation or need to protect vital interest of the data subject.
Transparency principle
The controller shall provide information on processing of personal data to the data
subject such as identity of the controller, purposes of the processing of data, recipients
of the data and information on the rights of the data subject.
Every data subject shall have the right to have information on processing of his/her
personal data from the controller as well as right to have in particular incomplete or
inaccurate data rectified, erased or blocked.
Security of processing
The Data Protection Directive sets demands on the security of the processing not only
when controller itself processes data but also when processing is carried out on his
behalf by a processor.
The controller must ensure that appropriate technical and organizational measures have
to be taken to maintain security both at the time of the design of the processing system
and at the time of the processing itself.
“…the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
The legislator understands that it is in general extremely hard - even impossible, with
reasonable cost to accomplish a complete, bulletproof data security. Therefore these
security measures shall be designed taking into account the state of the art and the
costs of their implementation in relation to the risks inherent in the processing and the
nature of the data to be protected.39 The higher the risk and/or the deeper intervention to
the privacy of an individual the higher are the demands on the security.
39
Personal Data Directive (95/46/EC) recital 46.
19
If the processing of personal data is carried out by a processor on behalf of the
controller, the Personal Data Directive also requires that the controller must choose a
processor providing sufficient guarantees of technical and organizational security
measures as well as ensure compliance with those measures.40
Confidentiality
Personal data are confidential and may not be disclosed to third parties against
provisions of applicable law.41 Any person who has access to personal data must not
process them except on instructions from the controller, unless he is required to do so
by law.42
In addition to the general principles described above there are requirements on
processing of special categories of data (e.g. sensitive data) and processing to certain
specific purposes (e.g. direct marketing, historical, statistical or scientific purposes) as
well as certain exceptions regarding for example national or public security, criminal
procedures and national defence.
4.3 Transfers within Finland and the EU/EEA
The target of the Data Protection Directive is – in addition to protecting the right to
privacy – to ensure free flow of personal data within the EU. Each Member State has
had to adopt national provisions pursuant to the directive i.e. implement it into the local
law.43 Personal data may therefore be transferred within the EU and the European
Economic area (EEA) countries on the same grounds as disclosing, transferring or
otherwise submitting them within a Member State.44
Transfer of personal data in outsourcing situation from controller to processor is not
considered as a disclosure of data that would in many cases require consent from the
data subject. Processor processes the personal data only on behalf of the controller and
according to controller’s requirements that are stipulated in an outsourcing agreement.
The controller is responsible for the lawfulness of the processing and the processor for
complying with the agreement. 45
40
Personal Data Directive (95/46/EC) art 17.2. 41
Finnish Personal Data Act (523/1999) 33 §. 42
Personal Data Directive (95/46/EC) art. 16. 43
Personal Data Directive (95/46/EC) art. 1 and 32. 44
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.4. 45
Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,
verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 3.
20
Transfer of personal data to a processor within Finland or EU/EEA is possible only if the
general principles described in the chapter 4.2. above are fulfilled. For example the data
may not be transferred to be processed for any purpose incompatible with the purposes
earlier defined by the controller. The processor is acting on behalf of the controller and
therefore cannot have any better rights to the data than the controller itself has.
There are no binding model agreements or contractual clauses for transfers within a
Member State or EU/EEA. However, Personal Data Directive (art. 17.3) requires that a
contract or binding act has to be in place between a controller and processor. This so
called Data Transfer Agreement (DTA) must include at least the following
requirements: a) the processor shall act only on instructions from the controller and b)
the data security related obligations specified in article 17 paragraph 1, as defined by
the law of the Member State in which the processor is established, shall also be
incumbent on the processor. Therefore in order to comply with regulation and to ensure
that each party understands and undertakes its responsibilities regarding processing of
personal data during the whole lifecycle of outsourcing relationship, it is essential to
include terms and conditions related to processing of personal data in the outsourcing
agreement or even sign a separate data protection agreement.
The requirements in Personal Data Directive (art. 17.3) are implemented into the
Finnish Personal Data Act 32 § as follows:
“1) The controller shall carry out the technical and organisational measures necessary for securing personal data against unauthorised access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. The techniques available, the associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy shall be taken into account when carrying out the measures. (2) Anyone who as an independent trader or business operates on the behalf of the controller shall, before starting the processing of data, provide the controller with appropriate commitments46 and other adequate guarantees of the security of the data as provided in paragraph (1).”
Note worth is that the Finnish Personal Data Act does not literally require a written
contract or binding act to be in place between the parties. However, it is more than
advisable to conclude a written DTA with an outsourcing partner also when working with
a Finnish outsourcing partner.
46
In Finnish: “annettava rekisterinpitäjälle asianmukaiset selvitykset ja sitoumukset“
21
4.4 Transfers to third countries from the EU/EEA
4.4.1 General aspects
Contrary to the transfers within the EU, the transfer of personal data outside the EU to
third countries is somewhat strictly regulated in order to ensure adequate level of
protection. EU Justice Commissioner Viviane Reding has pointed out “protection
regardless of data location” as one of the four pillars on which peoples’ rights need to be
built on meaning that homogenous privacy standards for European citizens should
apply independently of the area of the world in which their data is being processed.47
Third countries are all other countries than the EU Member States and the European
Economic Area (EEA) countries.
There are two main rules that have to be complied with when considering transfer of
personal data to a third country: a) the personal data in question must have been
collected and processed in accordance with the national laws applicable to the
controller established in the EU and b) the third country in question ensures an
adequate level of protection or one of the derogations laid down in the directive is
applicable.48
The general principles referred to in the first rule have been described already above in
the chapter 4.2. If those are not complied with, the transfer is considered illegal even
though the second requirement of adequate level of protection is met. In particular one
must ensure that the purpose of transfer is compatible with the one for which the data
were initially collected (exclusivity of the purpose).
From the point of view of a company wanting to outsource its operations to a third
country the easiest option to go ahead with the transfer is that the third country is found
to provide adequate protection by Commission. If that is not the case, it may be the
easiest to use the standard contractual clauses approved by Commission to proceed
with the transfer. These and also other options to be evaluated before transferring data
to a third country are described below.
4.4.2 The alternative ways of proceeding
4.4.2.1 Adequacy assessment
The main principle laid down in the Data Protection Directive is that personal data may
be transferred outside of the EU or EEA countries only if the third country in question
47
Reding Viviane, Speech/11/183, Your data, your rights: Safeguarding your privacy in a connected world, 16.3.2011, Brussels.
The other three pillars are: right to be forgotten, transparency and privacy by default. 48
Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.19 – 20.
22
ensures an adequate level of protection. The adequacy level shall be assessed in the
light of all the circumstances surrounding a data transfer operation(s). In particular one
shall consider the nature of the data, the purpose and duration of the processing
operation(s), the country of origin and country of final destination, the rules of law
(general/sectoral) in force in the third country in question and the professional rules and
security measures which are complied with in that country.49 The adequacy of the
protection may be assessed either by a Member State according to national legislation
or by Commission.
The directive requires that each Member State achieves the set result, i.e. ensures
adequate level of protection in the third country, but leaves room for choice how the
result is achieved. The degree of involvement from the data protection authority in these
so called self-assessment cases varies in Member States, which may lead to the risk
that the level of protection provided in a third country is judged differently in Member
States.50 In Finland the controller assesses the adequacy first, but must notify the Data
Protection Ombudsman of such transfer who then evaluates whether the reached level
of protection is adequate.
Moreover, the Commission may make a binding decision on that a certain country51
ensures an adequate level of protection in which case there are no formal extra
requirements related to the transfer, but it may happen on the same grounds as within
the EU. These so called Commission adequacy findings provide legal certainty and
uniformity throughout the EU.52 The Commission adequacy findings are based on the
same criteria as explained above, but the requirements are not specified in satisfactory
detail according to Commission’s study. Therefore Commission will aim to clarify the
Commission’s adequacy process and specify the assessment criteria and requirements
in more detail in connection with the ongoing revision of the EU legal framework for data
protection.53
49
Data Protection Directive Art. 25. 50
European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social
Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 15. 51
Up to date list of these countries is available: http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm 52
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.4. 53
European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social
Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 15.
23
4.4.2.2 Specific situations and conditions
Even though a third country does not ensure an adequate level of protection, transfer of
personal data may take place according to derogations laid down in the directive54, if
one of the following conditions is met:
a) The data subject has given an unambiguous consent to the transfer. The consent
must be clear, voluntary, detailed and consciously given based on at least on
information on what data, for what purpose, to whom and to what country the data will
be transferred. Mere negligence to object by an informed data subject does not
constitute an unambiguous consent.55
b) The transfer is necessary for the performance of a contract between the data subject
and the controller or for the implementation of precontractual measures taken in
response to the data subject’s request. This derogation may seem extensive, but in fact
it is limited by the strict interpretation of the necessity requirement. There needs to be a
close and substantial connection between the data subject and the purposes of the
contract in order to pass the necessity test. For example this derogation may not be
relied upon in order to transfer data of employees from a subsidiary to the parent
company (e.g. to centralized payment and HR functions system), since there is no
sufficient link between performance of an employment contract and such a transfer of
data.56 However, the Finnish Data Protection Ombudsman has given an opinion that
contact information of employees of a multinational corporation may be published on
company’s intranet in order for the employees to be reached by colleagues employed
by the same company.57
c) The transfer is necessary for the conclusion or performance of a contract concluded
in the interest of the data subject between the controller and a third party. Just like in the
previous derogation (b) the interpretation of necessity is very narrow. The data
controller must be able to prove that the data transfer is necessary for the performance
of the contract. For example in outsourcing situation where a company is planning to
transfer employee information to an outsourcing partner located outside the EU, to
whom the company is aiming to outsource its payroll management, there is not close
enough link between the data subject’s interests and contract even though the
54
Personal Data Directive (95/46/EC) art. 26.1. 55
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.8. 56
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 13.
24
outsourcing partner is to manage salary payments to the employees. 58 This derogation
could be applicable to transfers made in order to conclude a contract on the insurance
or health care of an employee working abroad.59
d) The transfer is necessary or legally required on important public interest grounds, or
for the establishment, exercise or defence of legal claims. The regulator has intended
this derogation mainly to situations where international exchanges of data may be
necessary between tax or customs administrations or between services competent for
social security matters. Once again the requirements are subject to strict
interpretation.60
e) the transfer is necessary in order to protect the vital interest of the data subject such
as in the case of medical emergency. Vital interests refer to interests essential to the life
of the data subject, not to economic or property related interests.61
f) The transfer is made out of a public register which is open to public in general or to
anyone who can demonstrate legitimate interest. This however does not allow the
transfer of the whole register or entire categories of data contained in the register, due
to the risk that the data is used to another purpose in the third country than initially
planned.62
These exemptions from the general principle of ensuring adequate protection must be
interpreted restrictively. Their scope is intended to be narrow and to cover mainly cases
where risks to the data subject are relatively small or where other interests override the
data subject’s right to privacy.63 Otherwise the situation would be quite risky from the
data subject’s point of view, since there may be total lack of protection in the third
country or at least significantly lower level protection than in the EU.64
57
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.8. 58
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 14. 59
Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut,
yksityiskohtaiset perustelut 23 § (Government proposal on Personal Data Act). 60
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 15. 61
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal
Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.9. 62
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 16. 63
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 7. 64
Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,
2093/05/EN, WP 114, 25.11.2005, p. 6.
25
4.4.2.3 Standard contractual clauses approved by the Commission
The Commission may decide that certain standard contractual clauses offer sufficient
safeguards with respect to the protection of the privacy and fundamental rights and
freedoms of individuals and as regards the exercise of the corresponding rights.65
Personal data may therefore be transferred to a third country that does not offer an
adequate level of protection if an applicable set of standard contractual clauses is used.
The target and scope of a contract in the case where personal data is transferred
outside the EU area, is much wider than in transfers within the EU. Between parties
within the EU countries the contract as explained in Chapter 4.3 is a tool to define and
agree on the responsibilities between two or more parties. However, when transferring
data to a third party located outside the EU area, the contract must provide additional
safeguards, because the receiving party is not governed by the EU data protection
regulation. These requirements are included in the standard contractual clauses in order
to ensure adequate safeguards.66
In outsourcing situation the outsourcing partner is acting as a processor and processing
personal data on behalf a controller (the company outsourcing its activities) and
according to controller’s instructions. The Commission has adopted an updated version
of the standard contractual clauses covering such transfers from a controller to
processor (controller to processor clauses) on 5.2.2010. The preceding, now repealed
clauses, were from the year 2002.67 The Member States must in general accept
transfers conducted by using the approved standard contractual clauses.68 There may
be differences in national laws regarding obligation to notify local authorities, but in
Finland no such requirement exists.
The standard contractual clauses reflect the general principles of the Data Protection
Directive which are described in more detail under Chapter 4.2 above. The headings of
the processor to processor – contractual clauses are the following:
- Definitions
The controller is referred as the data exporter and the processor as the data
importer in the context of the contractual clauses. Another important term
65
Data Protection Directive art. 26.2 and art. 26.4. 66
Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of
personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 16 – 17. 67
There are two other sets of standard contractual causes approved by the Commission, but they apply to transfers from controller
to controller only (decisions Set I 2001/497/EC and Set II 2004/915/EC so called business clauses) .
26
included in the new set of the clauses is the sub-processor which means in brief
a subcontractor of the processor (data importer) or the subcontractor’s
subcontractor.
- Details of transfer
Details of the transfer such as data subjects, categories of data and processing
operations are to be defined in an appendix.
- Third-party beneficiary clause
The standard contractual clauses should be enforceable against the controller
and in certain cases even the processor by the data subjects e.g. when the data
subject suffers damage as a consequence of a breach of the contract.69
- Obligations of the data exporter
The main responsibilities of the data exporter include ensuring that the data
processing has been and will be carried out in accordance with the applicable
law, continuously instructing the data importer on processing personal data
according to data exporter’s instructions and law as well as ensuring compliance
with the appropriate security measures.
- Obligations of the data importer
The main obligations of the data importer include processing personal data only
according to data exporter’s instructions, warranting that no applicable legislation
(e.g. local laws) do not prevent from fulfilling its obligations and implementing
technical and organisational security measures.
- Liability
This describes the alternative ways for the data subject to receive compensation
of damages resulting from the breach of the agreement.
- Mediation and jurisdiction
If there is a dispute between a data subject and data importer, the data subject
may either choose mediation or litigation.
- Cooperating with supervisory authorities
68
The Member States may prohibit or suspend data flows only in the situations described in Article 4 of the Commission decision
on the standard contractual clauses (2010/87/EU). 69
Commission decision 2010/87/EU, 5.2.2010, recital 19 – 20.
27
The supervisory authorities (i.e. national data protection authorities) may receive
a copy of the agreement and also conduct an audit of the data importer and sub-
processor.
- Governing law
The clauses shall be governed according to the laws of the Member State where
the data exporter is located.
- Variation of the contract
The standard contractual clauses approved by the Commission may not be
changed or modified by the parties. However, the parties may add business
related issues to the agreement as long as they do not contradict the standard
contractual clauses or prejudice fundamental rights or freedoms of the data
subjects. If other modifications or alterations are made to the clauses, they no
longer are treated as the standard contractual clauses benefiting from the special
treatment, but fall under the situation described above in Chapter 4.4.2.1 where
the data exporter on case-by-case basis adduces adequate safeguards as
assessed by the national authorities.70
- Sub-processing
In many cases the processor in a third country needs to further transfer the data
received from a controller located in the EU to another processor located outside
the EU (e.g. to a subcontractor). This new set of standard contractual clauses
includes clauses also on these subsequent onward transfers that occur outside
the EU area thus making the data transfers to international actors less
bureaucratic. The sub-processing clauses aim to ensure that the personal data
being transferred continue to be protected notwithstanding the subsequent
transfer to a sub-processor.71 These clauses do not apply to a situation where a
processor located in the EU transfers personal data to a sub-processor located in
a third country.72
- Obligation after the termination of personal data-processing services
The parties agree on returning or destroying of personal data as well as
confidentiality after the agreement is terminated.
70
Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p. 28. 71
Commission decision 2010/87/EU, 5.2.2010, recital 17. 72
Commission decision 2010/87/EU, 5.2.2010, recital 23.
28
4.4.2.4 Adequate safeguards adduced by the controller
Instead of taking advantage of the standard contractual clauses described above, a
controller may itself offer adequate safeguards with respect to the protection of privacy
and rights of individuals. These may be e.g. self-drafted contractual clauses directed at
one specific case that are authorised by the national data protection authority.
29
5 Outsourcing lifecycle and data protection
Outsourcing lifecycle can be divided into four phases: preparation, implementation,
operation and review.73 These four phases are assessed below especially from the
viewpoint of transferring of personal data.
5.1 Preparation phase
The target of the preparation phase is to create a business case and agree in general
within the company that outsourcing is the way forward. In the latter part of this phase
the outsourcing partner is chosen and agreements negotiated.
5.1.1 Developing the business case
It is often easy to focus on the benefits of outsourcing such as cost-savings, increase
competence and efficiency. However, when creating a business case, it is as important
to evaluate additional process and administration costs that may be caused due to
specific requirements applying to the outsourcing object as well as risks. Moreover,
sometimes the outsourcing becomes an end in itself while the targets to be achieved
remain unclear. Without a comprehensive understanding of the whole outsourcing case,
its goals and risks, it is impossible to make an enlightened decision on whether to
outsource or not .
The risks to consider may relate e.g. to following aspects74:
- Country risks: e.g. the cultural, environmental, political, infrastructural and
regulatory issues as well as distance.
- Company risks: e.g. how mature security level is adopted in the company and
how security is governed.
- HR risks: e.g. what is the competence and awareness level of employees.
- Data risks: e.g. ensuring confidentiality, availability and integrity.
- Deliverables risks: e.g. reliability of hardening and delivery methods.
It should be kept in mind that the risk of outsourcing is the additional risk compared with
the risk of taking care of the operations to be outsourced locally by the company itself,
not the total risk.
In most cases outsourcing involves transfer of personal data to the outsourcing partner,
either actual transfer to the partner’s data room or giving a remote access to the
73
Information Security Forum, Information risk management in outsourcing and offshoring, January 2008, p. 3.
30
company’s systems. It is essential to identify the criticality of the data and data
categories as well as specific requirements related to them. The requirements may be
rooted in regulation, customer agreements or company’s own policies (e.g. data
classification and handling instructions) and risk appetite. The data may include e.g.
personal data, traffic data or even content of communications that may be processed
only according to applicable EU and national legislation or there may be certain
restrictions related to customer data in certain customer agreements e.g. prerequisites
on by whom and where data may be processed. One must also bear in mind the
principle of exclusivity of purpose laid down in the Personal data directive prohibiting
processing of personal data in a way incompatible with the purposes defined before
collection of the personal data as well as other general principles.75
In addition to the risk analysis, it is advised to perform also a business impact
assessment, whose result shows a possible impact for the company if information is
improperly exposed, changed or made unavailable. Even though the legal prerequisites
of transferring all kinds of personal data to third countries are equal, there may be quite
different business impact, if “only” names of customers are processed unauthorized
compared to situation where the confidentiality of personal ID, medical records, traffic
data (e.g. information on communication or location of the subscription) or maybe even
content of communication (e.g. e-mail messages) is compromised. The controls and
additional requirements should be created and decided based on the analysis and the
criticality of the information taking into account company’s own risk appetite as well as
possibilities to mitigate risks.
As described before the EU regulation allows the transfer of personal data also such
countries that are not deemed to have adequate protection or the level of protection is
not yet assessed by the Commission. In such cases transfer may occur e.g. when
standard contractual clauses approved by the Commission are used. This means that
the EU regulation does not impose a show stopper, however the risk analysis performed
by the company planning to outsource operations to a third country may suggest that
the situation in certain countries or on a specific area of a country is such that the risks
74
Based on the presentation of Britt Amundsen Hoel, CSO, Telenor Norge AS, High risk –low cost -going offshore,ISF annual
conference in Monaco, 2010. 75
According to the Finnish Personal Data Act 10§ the controller must state in the description of a personal data file whether
personal data is to be transferred outside EU area. The description of file may date back to time when outsourcing was not considered or even that common and thus state that personal data is not transferred outside EU. It is uncertain how the description of file may be later changed if the original version denies the transfers. One way of proceeding with the change is to consider the description as a part of the agreement and change it according to the same princibles as the agreement could be changed. That is often a very time consuming process. Therefore it is critical to identify data files in question and then check what the description of personal data file states on the issue already in an early stage of the process.
31
overstep the risk appetite of the company i.e. the country risk assessed by the company
is too high to be reasonable mitigated by contract or other means. Even though the
regulation would support and allow transfer of personal data, it is not always wise based
on company’s own risk and business impact assessments.
5.1.2 Choosing the partner
Personal data, whether it relates to customers or employees, are in many ways very
critical assets of a company. It is easy to lose reputation and confidence, but gaining it
back is most often an extremely long and rocky road. The security aspects are therefore
by no means insignificant when the outsourcing partner is chosen.
Security related requirements and questions should be included as a part of the
Request for Proposal (RFP) sent to the potential vendors. The answer to RFP gives a
starting point for evaluation of the partner’s capabilities. However, one should not rely
only to the information given in the offer, but try to validate also by other means that the
information given is reliable and not only commercial marketing statements.
Validating the third party security is not an easy task to perform. Information Security
Forum provides a “Security health check” –tool, a self-assessment tool that can be used
to evaluate if an outsourcing partner fulfills the set requirements or not. It can be used
as a self-assessment tool, however, one must keep in mind that the results are not
objective, but instead based on the vendors’ own subjective views. The questionnaire is
made up of 208 high-level information security questions that are presented in a macro-
enabled Microsoft Excel spreadsheet.76 Another indicator that can be helpful is that the
partner has a certificate (e.g. ISO 27001) that covers the part of the partners’ processes
that is used to provide the services. Even though e.g ISO 27001 certificate may not
assess all the aspects relevant to a specific outsourcing activity, it gives at least a
general implication that the partner has an appropriate information security
management system in place. When establishing a business relationship with a
completely new partner that has no proof of its security level (e.g. no certificates), it may
be wise to audit the partner on site, especially if the operations to be outsourced are
critical and/or lead to transferring critical information to the partner. Once again it’s a
question of risk evaluation and mitigation.
Ever increasing amount of services are provided from a cloud. When choosing an
outsourcing partner and a solution, it is important to get a clear view on whether a cloud
76
Information Security Forum: Security healthcheck, available for ISF members at www.securityforum.org
32
is used and if so what kind of cloud is in question (private/public). Moreover when
personal data is to be transferred to a cloud, it is essential to understand where the data
is located, who are able to process it and how information security aspects are taken
into account. There are no “cloud-specific” privacy regulations, but all the same rules
that have been described in this paper regarding processing and transferring personal
data apply to cloud based processing of personal data. For example if the cloud is
located outside the EU/EEA there adequate level of protection must be guaranteed by
one of the means explained earlier.
5.1.3 Agreeing with the partner
When the vendor has been chosen and the business agreement (outsourcing
agreement and service agreement) is under negotiations, it is crucial to remember to
include security requirements in the negotiations. Usually a frame agreement that
covers all general terms and conditions of the vendor relationship is concluded first and
then a separate agreements regarding each assignment are signed.
It is essential to cover at least the following aspects regarding processing personal data
in the agreements:
Non-Disclosure Agreement (NDA) if it is not signed already during the partner
evaluation.
Data transfer agreement as explained in chapter 4.3 if personal data is transferred
within EU/EEA.
Standard contractual clauses as explained in chapter 4.4.2.3 if personal data is
transferred to a processor located in a third country (outside EU/EEA) and there is
no Commission adequacy finding regarding the country in question or other means
specified in Data Protection Directive to ensure the adequacy of the protection.
Other relevant security requirements and controls based e.g. on risk/business
impact assessment, regulation, adopted standards, company’s internal instructions
and customer demands. However, it is good to acknowledge that many vendors
provide services to various companies located around the world and placing
additional requirements above e.g. the EU regulation level may add the costs,
because the vendor has to stretch to a customer specific solution.
Description of common processes and practices related to e.g. access, incident, risk,
crisis and business continuity management, auditing of the vendor as well as
33
responsible persons on each area. It is good to prepare for crisis and worst case
scenarios and define roles, responsibilities and processes related to those as well as
test them to the degree possible.
Consequences and sanctions of a breach of the agreement e.g. in a situation where
confidentiality or integrity of personal data has been compromised.
Exit procedures that aim to prevent locking-in to one vendor and enable seamless as
well as secure exit at the end of the partnership.
5.2 Implementation phase
The target of the implementation phase is to manage the transfer of the operations to
the outsourcing partner as seamlessly as possible. This phase starts with planning e.g.
creating migration plans as well as adapting business, security and support processes
and ends when the operations are up and running at the outsourcing partner.
From the personal data point of view it is crucial to plan the transfer of the personal
data; how it is performed in a secure way or if access to data stored in company’s
systems is to be granted to the employees of the outsourcing partner the access
management process has to be agreed and access rights granted accordingly. The
company needs to also agree with the outsourcing partner how the employees are
trained to process personal data according to the requirements set in the agreement.
5.3 Operation phase
Operation phase lasts as long as the company continues to source services from the
outsourcing partner. This phase requires active support, maintenance and audit
activities from the company including performing regular security reviews and follow ups
to validate the compliance and current state of the partner organization. A significant
risk is that the case is considered closed after the implementation phase and the
company lacks sufficient resources and interest in supervising the partner and working
in co-operation. However, one must bear in mind that the company continues to be
responsible for complying with applicable regulation even after the processing of
personal data is transferred to the outsourcing partner. Therefore also from the risk
management perspective it is advisable to regularly interact with the partner and
manage the partnership e.g. through meeting and reporting structure.77
77
Information Security Forum: Information risk management in outsourcing and offshoring, January 2008, p. 25.
34
5.4 Review and Exit phase
The longer the outsourcing partnership lasts the more probable it is that the
requirements (e.g. regulation) are changed such a manner that it has effect also to
processing of data by the outsourcing partner. The parties must establish a way of
communicating and handling such operative changes as a part of daily business.
However, sometime along the way it comes a time to review the partnership and decide
on the future. That phase can be called as review phase and it may lead to exit if the
parties cannot agree on the future terms of the partnership.
The whole lifecycle of outsourcing and data processing should be taken into account
already in the preparation phase and a preliminary plan for exit should exist also on the
agreement level. When the agreement is terminated, the company must ensure that the
outsourcing arrangement is taken down in a controlled way in order to avoid any
disturbances of business or breaches of applicable regulation and other requirements.
As a result of a seamless exit process the operations are either transferred back to the
company or to another outsourcing partner.
35
6 Conclusions
Outsourcing at its best brings efficiency, flexibility, increased knowhow and cost savings
to the companies. However these benefits are not given for free, but instead it takes a
huge amount of preparation, actual implementation work, maintenance and follow up to
make it work securely, seamlessly and in compliance with internal and external
demands. It is easy to concentrate on the benefits of the outsourcing and underestimate
the risks and amount of work it takes from the company itself before and also after the
actual transfer of operations has taken place. Outsourcing is not one time event, but a
continuous relationship with the vendor (outsourcing partner) that lasts as long as the
agreement is valid.
The concept of personal data is interpreted so widely that the data protection and
privacy aspects have to be taken into account nearly in all outsourcing cases. The
current regulatory framework regarding processing and transferring personal data
contains a set of basic tools enabling companies to carry out outsourcing activities.
Even though the framework can be seen such that it supports outsourcing, it may not
always be consistent and easy to interpret or implement in practice. The more countries
(and therefore also the more legal frameworks) there are in question the more complex
the situation grows. The responsibility for complying with applicable laws remains with
the data controller (the company outsourcing its operations) no matter where the
personal data is transferred to. This can lead to difficult challenges if the legal
framework in the country where the data processor (the outsourcing partner) is located
differs dramatically from level of protection established within the EU. The risks can be
mitigated to a certain degree by well-prepared agreements and follow-up activities,
however, if the legal stability in a country is somewhat compromised, it can be hard to
execute the rights granted by an agreement, no matter how watertight it is. Moreover it
is not possible to precede the national laws and authority of the local authorities just by
an agreement between the outsourcing parties.
At the moment some conflicts of law may arise also on the EU level, since Member
States have chosen slightly different ways to implement the EU directives. The
Commission intends to review and clarify the provisions regarding applicable law in the
connection with the overall review of the data protection regulation, which development
is welcome improvement to the current state. The target is to achieve full harmonization
by using a regulation as a strong legal instrument. Alarming is that the technical
development and related business models are developing so fast that the regulator is
36
always many steps behind. The concepts that have been suitable to use in more
traditional outsourcing situations are too bureaucratic or impossible to deploy e.g. in
cloud computing situations.
Many times the threat of losing reputation and brand value is often even more severe
than the legal risks. A simple incident that compromises for example the confidentiality
of customer data may cause the customers to choose another service provider.
However, it can also be argued that outsourcing itself does not self-evidently increase
the risks compared to situation where the operations are taken care in-house, since
there is always certain risks present related to confidentiality, integrity and availability
even when the company itself takes care of the operations. It’s all about identifying and
evaluating threats and risks and mitigating them to the degree reasonably possible and
realistic e.g. by setting controls and following them up.
Data protection and privacy is not something one can put as a responsibility for a one
person or unit. It is not something that the Legal Affairs or Sourcing unit just fixes by
drafting agreements amongst themselves. Requirements related to processing and
transferring personal data have to be identified, evaluated, implemented and followed
up during the whole outsourcing life cycle and implemented into the processes just like
any other aspects related to the co-operation.
37
BIBLIOGRAPHY
Amundsen Hoel Britt, CSO, Telenor Norge AS, Presentation High risk – low cost -going offshore, ISF annual conference in Monaco, 2010.
Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004.
Consolidated version of the Treaty on European Union, Official Journal (“OJ”)) of the European Union C 83.
Commission decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, 2010/87/EU, 5.2.2010.
Communication from the Commission to the European Parliament, The Council, The Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609, Bussels, 4.11.2010.
Consolidated version of the Treaty on the Functioning of the European Union, OJ C 83. Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to the processing of personal data and on the free movement of such data, OJ L281.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201.
European Commission, Proposal for a regulation of the European parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), version 56, 29/11/2011.
European Convention for the Protection of Human Rights and Fundamental Freedoms.
European Court of Justice, Case C-101-01, Bodil Lindqvist, ECR, 2003.
Finnish Personal Data Act (523/1999).
Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut (Finnish Government proposal on Personal Data Act).
Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004.
Information Security Forum, Information risk management in outsourcing and offshoring, January 2008.
Information Security Forum: Security healthcheck.
Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät, verkottuminen ja niihin liittyvät sopimukset, 27.7.2010.
Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal Data Act, Issues about data protection 1/2005, updated 16.10.2006.
Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-table high level conference on Mobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011.
Reding Viviane, Your data, your rights: Safeguarding your privacy in a connected world, Speech/11/18, 316.3.2011, Brussels
Working Party (WP) on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998.
Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007.
Working Party, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995, 2093/05/EN, WP 114, 25.11.2005
Working Party, Working document on data protection issues related to RFID technology WP 105, 19.1.2005.
38
Web-pages
Datainspektionen,Transfer of personal data to a third country, http://www.datainspektionen.se/in-english/in-focus-transfer-of-personal-data/#3
European Comission, What are EU directives?, http://ec.europa.eu/eu_law/introduction/what_directive_en.htm
Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries; http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf
Towards Cloud Computing Strategy; http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm