Your SlideShare is downloading. ×
Outsourcing and transfer of personal data - Titta Penttilä - TeliaSonera
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Outsourcing and transfer of personal data - Titta Penttilä - TeliaSonera

488
views

Published on

Titta Penttilä's research "Outsourcing and transfer of personal data" for Information Security Training Program at Aalto University/ Aalto Pro 16.01.2012. Titta Penttilä is Senior Security Manager at …

Titta Penttilä's research "Outsourcing and transfer of personal data" for Information Security Training Program at Aalto University/ Aalto Pro 16.01.2012. Titta Penttilä is Senior Security Manager at TeliaSonera.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
488
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OUTSOURCING AND TRANSFER OF PERSONAL DATA 7. Information Security Training Program Aalto University/ Aalto Pro 16.01.2012 Titta Penttilä
  • 2. 2SUMMARYAuthor Date and placeTitta Penttilä, LL.M., 16.1.2012, in Helsinki, FinlandSenior Security Managertitta.penttila@teliasonera.comCourseAalto University / AaltoPro: 7.Tietoturvallisuuden koulutusohjelma(7. Information Security training program)TitleOUTSOURCING AND TRANSFER OF PERSONAL DATAOutsourcing of business activities within EU and also to third countries is becoming anatural part of today’s business operations. The concept of personal data is very wideand therefore the aspects regarding transfer of personal data are relevant in most of theoutsourcing cases.Personal data directive from the year 1995 forms the current foundation of regulation inthe EU Member States. The first part of this study concentrates on the description of theregulative framework and the second part gives more practical information on takingpersonal data aspects into account on each phase of outsourcing activity.Search words: Outsourcing, personal data, privacy, data protection
  • 3. 3Table of contents1 Introduction ..............................................................................................................................42 Regulation ...............................................................................................................................5 2.1 Fundamental rules of European Union ..............................................................................5 2.2 European Union directives ................................................................................................6 2.3 Commission decisions, opinions and recommendations of the Working Party ...................6 2.4 Finnish regulation ..............................................................................................................7 2.5 Applicable law ...................................................................................................................7 2.6 The new legal framework for the protection of personal data in the EU .............................83 Terminology ........................................................................................................................... 11 3.1 Personal Data ................................................................................................................. 11 3.2 Outsourcing ..................................................................................................................... 13 3.3 Controller......................................................................................................................... 14 3.4 Processor ........................................................................................................................ 154 Transfer of personal data from controller to processor ........................................................... 16 4.1 What determines a transfer of personal data? ................................................................. 16 4.2 General principles on processing of personal data .......................................................... 17 4.3 Transfers within Finland and the EU/EEA ........................................................................ 19 4.4 Transfers to third countries from the EU/EEA .................................................................. 21 4.4.1 General aspects ........................................................................................................ 21 4.4.2 The alternative ways of proceeding ........................................................................... 21 4.4.2.1 Adequacy assessment ....................................................................................... 21 4.4.2.2 Specific situations and conditions ....................................................................... 23 4.4.2.3 Standard contractual clauses approved by the Commission ............................... 25 4.4.2.4 Adequate safeguards adduced by the controller ................................................. 285 Outsourcing lifecycle and data protection............................................................................... 29 5.1 Preparation phase ........................................................................................................... 29 5.1.1 Developing the business case................................................................................... 29 5.1.2 Choosing the partner ................................................................................................ 31 5.1.3 Agreeing with the partner .......................................................................................... 32 5.2 Implementation phase ..................................................................................................... 33 5.3 Operation phase .............................................................................................................. 33 5.4 Review and Exit phase .................................................................................................... 346 Conclusions ........................................................................................................................... 35BIBLIOGRAPHY
  • 4. 41 IntroductionOutsourcing of business operations or functions has become an increasingly growingtrend and a natural part of today’s business operations. When considering outsourcinginformation security and privacy aspects are an essential part, since outsourcing nearlyalways involves transfer of information to the outsourcing partner. Most of the timeinformation includes also personal data (e.g. concerning customers or employees).Processing and transferring personal data is regulated on the European Union (EU) andnational level. One major issue when planning outsourcing is to understand thedemands of regulation and risks involved. When operating on national or even EU levelthe concept is rather clear, but if operations are outsourced outside of the EU to socalled third countries the legal requirements are much more complex and leave room forinterpretation.In this study my target is to first describe the regulatory background, requirements andpossible ways to go forward and then take more practical view on how transfer ofpersonal data to an outsourcing partner should to be taken into account in each phaseof the outsourcing lifecycle. The first part is mainly based on literature and official EUdocuments and the more practical latter part includes also information based on my ownexperiences as legal counsel and senior security manager.Since my aim is to cover outsourcing situations, I have limited the scope to include onlytransfers of personal data from a controller to a processor (i.e. from a company to anoutsourcing partner that processes personal data on behalf of the company in question)and I won’t be looking into issues related to the controller- to-controller or intra-companytransfers (e.g. Binding Corporate Rules). In addition I am looking into the issue from theEU perspective and only including aspects related to transfers originating from the EUi.e. transfers within a Member State, to another Member State or to a third country andusing Finland as an example.The main emphasis is put on the EU level regulation, since that forms the basis onregulation in all Member States already now and even more strongly in the future. Thereis a comprehensive EU data protection law reform currently on going in the EU, whichwill also have an impact on the transfer of personal data in outsourcing cases. I havetherefore included a brief glance on the future regulation proposal. The perspective ofthis study is juridical and administrative, therefore no technical aspects are covered.
  • 5. 52 Regulation2.1 Fundamental rules of European UnionThe European Union is founded on two constitutive treaties: the Treaty on EuropeanUnion and the Treaty on the Functioning of the European Union, which both have thesame legal value.The Treaty on the Functioning of the European Union organizes the functioning of theUnion and determines the areas of, delimitation of, and arrangements for exercising itscompetences1 and it includes also provisions related to protection of personal data. Article 16 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.As referred to in the above mentioned article 16 the Treaty on European Union statesthat the Council shall adopt a decision laying down the rules relating to the protectionof individuals with regard to the processing of personal data by the Member Statesand the rules relating to the free movement of such data. 2Moreover, the protection of personal data is stated as one of the fundamental rights andcommonly shared values adopted in the Charter of Fundamental Rights of theEuropean Union (2010/C 83/02) 3 recognized in the Treaty on European Union.4 Article 8, Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.The Treaty on European Union also declares that the Union shall accede to theEuropean Convention for the Protection of Human Rights and Fundamental Freedoms,5 1 Official Journal of the European Union C 83: Consolidated version of the Treaty on the Functioning of the European Union, art. 1 2 Official Journal of the European Union C 83, art. 39 3 Official Journal of the European Union C 83, p. 389 4 Official Journal of the European Union C 83: Consolidated version of the Treaty on European Union, art. 6 5 Official Journal of the European Union C 83/19: Consolidated version of the Treaty on European Union, art. 6
  • 6. 6which includes also a principle that everyone has the right to respect for his private andfamily life, his home and his correspondence.6The protection of the personal data and personal life is therefore regulated on afundamental level in many different binding European Union regulations, which may beoverlapping. However, they aim towards the same target: ensuring protection ofpersonal data.2.2 European Union directivesThe EU directives describe a target that must be achieved in every Member State, buteach Member State may choose how it implements the directive in the national law. 7The Data Protection Directive was adopted in October 1995. The Directive has atwofold objective derived from the targets of the European integration: to ensure a freeflow of personal data from one Member State to another and on the other hand tosafeguard the fundamental rights (i.e. right to privacy and data protection) ofindividuals.8In principle the directive applies to all processing of personal data. It includes ratherdetailed provisions on the lawfulness of the processing personal data, juridicalremedies, liability and sanctions as well as on transfer of personal data to thirdcountries, which will be described later in the chapter 4.4.European Commission is preparing a revision of the legal framework for data protectionto meet the new demands of rapid technological developments and globalization thathave changed the world and thus brought new challenges. 9 The aim is to propose anew General Data Protection regulation that is briefly described later in the chapter 2.6.There are also other more sector specific directives such as Directive on privacy andelectronic communications that concerns processing of personal data in the electroniccommunications sector.102.3 Commission decisions, opinions and recommendations of the Working PartyThe Commission decisions relevant in the context of this study are:6 European Convention for the Protection of Human Rights and Fundamental Freedoms, art. 87 European Comission, http://ec.europa.eu/eu_law/introduction/what_directive_en.htm8 OJ L281, Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to theprocessing of personal data and on the free movement of such data, art. 1.9 Communication from the Commission to the European Parliament, The Council, The Economic and Social Committee and theCommittee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609,Bussels, 4.11.2010, p.2.10 OJ L 201, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing ofpersonal data and the protection of privacy in the electronic communications sector.
  • 7. 7 - findings on an adequate level of protection in certain third countries. - standard contractual clauses sufficient in safeguarding the adequate level of protection when transferring personal data to third countries.These are described in more detail later in Chapters 4.4.2.1 and 4.4.2.3.A working party is set up based on the Personal Data Directive. It is composed ofnational data protection authorities, representatives of the Community institutes as wellas a representative of the Commission. The Working party has an advisory status and itmay make recommendations on all matters relating to the protection of persons withregard to the processing of personal data in the EU.112.4 Finnish regulationThe Constitution of Finland (731/1999) guarantees the right to privacy. Section 10 - The right to privacy Everyones private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.Finland has implemented the Personal Data Directive by adopting the Personal DataAct (523/1999), which entered into force in June 1999. The new act replaced the formerPersonal Data File Act from the year 1988, but the main principles remained the same.Other focal more sector specific privacy laws are Act on the Protection of Privacy inElectronic Communications (516/2004), which was enacted based on the Directive onprivacy and electronic communications as well as Act on the Protection of Privacy inWorking Life (759/2004), whose target is to promote the protection of privacy and otherbasic rights safeguarding the protection of privacy in working life.2.5 Applicable lawThe general rule is that the law of the Member State where the controller is located isapplied to the processing of personal data regardless of where or by whom the data isprocessed.12 In outsourcing situations the company outsourcing its operations stays incontrol of the data and the outsourcing partner may process the data only on behalf ofthe company and according to its instructions. Therefore the company remains as thecontroller and the outsourcing partner is a processor, which means that the law of theMember State where the company outsourcing its operations is located is applied evenwhen the processing is performed by an outsourcing partner in another Member State11 Personal Data Directive art. 29 and art 30.12 Personal Data Directive, art. 4.
  • 8. 8or in a third country. Moreover the transfer of data does not free the controller from itsobligations, instead the controller will continue to be liable under that Member State lawfor any damage caused as a result of an unlawful processing of personal data. Thecontroller may however be able to recover losses in a separate legal action against theprocessor based on the outsourcing agreement.13Notwithstanding the general rule presented above there can be requirements in the lawof the country, where the processor is located, that may override the national law of thecontroller, thus enabling disclosure of personal data to the state e.g. to the police.Within the EU this possibility is restricted to those disclosures that are necessary indemocratic societies for one of the “ordre public” reasons stated in the Personal DataDirective. However in the third countries similar restrictions may not be in place.14The rules of applicable law are not always clear and there is an unfortunate possibility ofconflicts of law especially when many Member States are concerned (e.g. amultinational company established in several Member States provides services). Everincreasing globalization and technological developments also add to the complexity.Commission has stated that it will examine how to revise and clarify the existingprovisions on applicable law in order to improve legal certainty and clarify MemberState’s responsibility. The ultimate goal is to provide the EU citizens the same degree ofprotection regardless of the geographic location of the data controller.152.6 The new legal framework for the protection of personal data in the EUA draft version of the proposal for the new General Data Protection Regulation wasleaked in the beginning December 2011, even though it was supposed to be publishednot until January 2012. Since the official proposal is not available when writing thispaper, I refer below to the unofficial draft.Contrary to the current Personal Data Directive the new framework is to be based on aregulation and is therefore directly applicable without national implementation. The mainchallenges with the current framework have not been its objectives or principles that arestill to remain quite the same, but fragmentation of the implementation across the13 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers ofpersonal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998,p. 18 – 19 and p. 21.14 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers ofpersonal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998,p. 21.15 European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and SocialCommittee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union,COM(2010) 609 final, 4.11.2010, Brussels, p. 11.
  • 9. 9Member States and legal uncertainty added by rapid technological development andever increasing global business activities. The proposed regulation is aimed tackle thecurrent challenges by introducing a solid and strong foundation for data protection andmoving towards full harmonization. 16The main issues of the data protection reform as described by Viviane Reding, the EUJustice Commissioner, are the following: - Increased transparency demand and control of the citizens regarding their personal data. - Privacy by design meaning that services should include built-in privacy features. - Obligation to notify of data breaches to authorities and users (previously set only to telecom operators). - Right to data portability meaning that users should not be locked-in to a certain service, but the service provider must enable transfer of user’s personal data to another service. - Making the EU legal framework simplier to the businesses by eliminating unnecessary costs and administrative burdens and creating a level playing field for the companies. - Supporting the international transfers so that there is one single set of rules for transfers of personal data to third coutries and no additional national conditions. - Emphasizing the importance of trust and encouraging innovations.17The new draft regulation clarifies to a certain degree the applicable law issue inoutsourcing situations. Within the EU the new regulation would harmonize and unify therule set in different Member States since local differences within the scope of theregulation would no longer accepted due to its direct application nature. However, howmuch room of interpretation is left for the national authorities and what is the role of thenew European Data protection Board will remain to be seen.Moreover, “all processing of personal data in the context of the activities of anestablishment of a controller or a processor in the Union should be carried out inaccordance with this [new] regulation, regardless of whether the processing itself takes16 European Commission, Proposal for a regulation of the European parliament and of the Council on the protection of individualswith regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),version 56, 29/11/2011, Explanatory memorandum, p.3.
  • 10. 10place within the Union or not”.18 It is thus clearly stated that personal data shall continueto be subject to EU regulation even though it is prosessed in a third country.The main elements of transfer of personal data to third countries are to remain similar tothe current ones. The transfer may be based on an adequacy decision made by theCommission and the proposal clarifies the matters that the Commision needs to takeinto account when making a such assessment. If an adequacy decision does not exist,the transfer may happen by way of introducing appropriate safeguards e.g. usingstandard data protection clauses adopted by the Commission. As today there is also thethird alternative to rely on specific degorations stated in the proposed regulation.A new approach is that the concept of binding corporate rules - that so far has been apossible tool when transferring personal data within a group of companies - is nowproposed to be broadened to cover also a group of undertakings and its members. 19 Itis uncertain whether an outsourcing relationship could be considered to form such agroup of undertakings that is meant by the proposed regulation.Unfortunately, the new proposal does not seem to bring concrete answers or solutionsto new international phenomena such as cloud services. The interest has so far beenmore towards protecting citizens rights than enabling companies to take advance on thecloud computing possibilities. However, there will be a European Cloud ComputingStrategy launced during year 2012 that covers also the legal framework relatedmatters.2017 Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-table high level conference onMobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011.18 General Data Protection Regulation draft, recital 13.19 General Data Protection Regulation draft, Art. 40.20 Towards Cloud Computing Strategy; http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm
  • 11. 113 Terminology3.1 Personal DataIt is critical to understand the concept of the personal data in order to interpret theapplicable legislation and comply with it. The Data Protection Working Group hasscrutinized the concept in its opinion 4/2007, which is described below.According to Data Protection Directive (95/46/EC) “the personal data shall mean anyinformation relating to an identified or identifiable natural person (“data subject”);an identifiable person is one who can be identified, directly or indirectly, in particular byreference to an identification number or to one or more factors specific to his physical,physiological, mental, economic, cultural or social identity”.The purpose of the Data Protection directive is to protect the fundamental rights andfreedoms (especially privacy) with regard to the processing of personal data. Thedefinition is intended to be broad and cover as a general rule any kind of informationthat can be in a way or other related to an identified or identifiable person.21The definition can be divided into four separate requirements that together form theconcept of personal data. First of all the definition refers to “any information”, whichclearly shows the intention of broad interpretation. The information may be subjectiveinformation such as opinions and assessments (e.g. hard working, reliable payer) aswell as objective information (e.g. blood type) by nature. The information consideredpersonal data may even be false. Moreover the content of the information may be anysort relating to the private, family or working life. From the point of view of the format orwhere the information is stored, there are no limitations either. The information may e.g.be alphabetical, numeral, stored on a computer hard drive or a video tape. Even asound (e.g. phone call recordings), image (e.g. video surveillance recordings) orbiometric data (e.g. fingerprints, vein patterns, behavioral characteristics such as aparticular way to walk or speak) is within the scope.22Secondly the information has to “relate to” a person. Data relates to an individual if itrefers to the identity, characteristics or behavior of an individual or if such information isused to determine or influence the way in which that person is treated or evaluated.23 Inorder to consider information to relate to an individual three alternative elements can bedistinguished: content – information is given about a particular person (e.g. medical21 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 4.22 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 6 – 9.23 Data Protection Working Party, Working document on data protection issues related to RFID technology WP 105, 19.1.2005, p. 8.
  • 12. 12results relate to the patient), purpose – information is used or is likely to be used withthe purpose to evaluate, treat in a certain way or influence the status or behavior of anindividual, or result – information is likely to have an impact on a certain person’s rightsand interests. It is enough to have one of these alternative elements present. However,a simplified general rule that can be used as a good starting point when assessingwhether or not information relates to an individual is that information which is about anindividual also relates to that individual.24The third requirement is that the information relates to a natural person that is “identifiedor identifiable”. As a general rule a person is identified when, within a group of persons,the person is distinguished from all other members of the group. The context andcircumstances determine when certain identifiers are sufficient to achieve identification(e.g. a common family name rarely is enough to identify person unless the group issmall, for example Penttilä from Corporate Security of TeliaSonera). An individual maybe identified directly, most commonly by name or indirectly by combining pieces ofinformation that may or may not be all retained by the data controller and thusnarrowing down to a single person.25However, it is enough that a person is identifiable even though not yet identified. Whenassessing whether a person is identifiable one should take into account all the meanslikely reasonably to be used either by the controller or by any other person to identifythe person in question today or in the future during the whole lifetime of the dataprocessing (e.g. IP addresses can be with reasonable means related to identifiedpersons by internet access providers). The purpose of processing may indicate that thedata controller aims to identificate sooner or later the persons and therefore it is hard toprove that there are no means likely reasonable to be used to identification (e.g.purpose of video surveillance is in the end to identificate persons that have unlawfullyaccessed premises).26In outsourcing cases it may be enough that the outsourcing partner receives andprocesses pseudonymised data. Pseudonymisation can be done e.g. by key-coding thedata so that each individual is given a code and the code and the identifiers of theindividual (e.g. name, personal ID) are kept separately. If the pseudonymised data istransferred to the outsourcing partner, but the partner has no means likely reasonable to24 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 10 – 11.25 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 13.26 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 15 – 16.
  • 13. 13access the encryption key (the list that reveals link between a key code and individual)or otherwise become aware of the identity of the persons, this transfer of data is not tobe considered as transfer of personal data.27 If data is anonymous in a sense that noindividual can be identified by the data controller or any other person taking into accountall the means likely reasonably to be used to identify that individual, the data is notpersonal data. The analysis must be performed case-by-case basis considering thecircumstances now and during the whole life time of data processing.28The fourth element of the definition is that the Data Protection Directive applies tonatural persons (i.e. human beings) without any restrictions related e.g. to thenationality or residence. Data on dead persons is not considered as personal data inprinciple, since the dead are no longer natural persons in civil law. However, there maybe some exceptions to that general rule in the national laws and in some cases the dataon a dead person may also relate to a living person and be therefore considered aspersonal data.29 Information relating to legal persons (e.g. companies, associations etc.)is not personal data, unless the data also relates to natural persons (e.g. corporate e-mail address that is used by a certain employee). The Finnish CommunicationsRegulatory Authority has stated that the confidentiality of the communications remainsin force also after the party of the communications has died (e.g. the heir has no right toreceive a full itemization of the phone bill from the time period before death).3.2 OutsourcingThere is no commonly agreed exact definition on outsourcing, however, in general theterm is used to describe the process of subcontracting services or goods from a thirdparty.Information Security Forum members have in workshops agreed on the followingdefinition: “Outsourcing is the transfer of the operation or creation of activities, services or facilities from an organisation to a third party provider. The responsibility for managing the arrangement lies with the organisation and delivery with the provider”.30Offshoring is one type of outsourcing where “those business functions that are carried out at a location outside of the organisation’s home state (country)”. 3127 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 18 – 21.28 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 21.29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 22.30 Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5.31 Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5.
  • 14. 14Black’s law dictionary defines an outsourcing agreement as follows: “An agreement between a business and a service provider in which the service provider promises to provide necessary services, esp. data processing and information management, using its own staff and equipment, and usu. at its own facilities”.32In TeliaSonera’s internal terminology outsourcing activity is divided into two separateterms: outsourcing and sourcing of services. Outsourcing is defined as “one time activityto transfer an outsourcing object to a supplier/partner” and sourcing of services beginswhen “after completion of outsourcing activity TeliaSonera continues to buy servicesfrom the supplier/partner”.After the actual transfer of operations to the outsourcing partner, there is risk that theinterest in the outsourcing case decreases and the case is somewhat consideredclosed. However, it is equally important to manage the period after the actual transferand ensure that the outsourcing partner fulfills the requirements set in the agreementduring the whole term of the agreement. Therefore in my study I will cover both theoutsourcing and sourcing of services phases.3.3 ControllerAccording to the Data Protection Directive article 2 d “controller means the natural orlegal person, public authority, agency or any other body which alone or jointly withothers determines the purposes and means of the processing of personal data; wherethe purposes and means of processing are determined by national or community lawsor regulations, the controller or the specific criteria for his nomination may bedesignated by national or Community law.”In practice the controller is the party that decides what data is collected and stored, thepurpose of the processing of data as well as the means. In other words the controller isan organization that controls and is responsible for the personal data which it holds. 33The controller is also responsible for that the personal data is lawfully collected andprocessed. In the outsourcing context the controller is the party that transfers itsoperations to an outsourcing partner.32 Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004, p. 1136.33 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.10.
  • 15. 153.4 ProcessorThe Data Protection Directive (art. 2 d) defines the processor as “a natural or legalperson, public authority, agency or any other body which processes personal data onbehalf of the controller.”In an outsourcing case the processor is the outsourcing partner to whom a controllerhas outsourced its certain activities. The processor does not have an independent rightto process any personal data of the controller, since its rights are derived from thecontroller, thus the processor acts always on behalf of the controller and according to itsinstructions.
  • 16. 164 Transfer of personal data from controller to processor4.1 What determines a transfer of personal data?Personal Data Directive does not define what kind of activity equals to a transfer ofpersonal data. A transfer can be interpreted to cover all cases where a controller takesaction in order to make personal data available to a third party.34 The transfer anddisclosure of information are different in a sense that when information is transferred thecontroller may also remain the same.35The Finnish Data Protection Ombudsman has expressed that also establishing aremote access to data equals to transfer even though the physical database is not itselftransferred36 (e.g. if a database is located in Finland, but it can be accessed remotelyfrom India, it is considered as transfer outside the EU).However, it is not completely clear when a transfer occurs, for example, if a companydiscloses contact information of its employees outside the EU or EEA (the EuropeanEconomic Area) over the phone, e-mail or internet, is that to be considered as atransfer. The provision regarding transfer should be applied when transferring individualpieces of data as well as large quantities.37 Moreover, the Court of Justice has statedthat there is no transfer of personal data to a third country where an individual in aMember state loads personal data onto an internet page which is stored with his hostingprovider which is established in that State or in another Member State, thereby makingthose data accessible to anyone connecting to internet, even outside the EU/EEA.38In outsourcing cases it is often quite clear that personal data is transferred to anoutsourcing partner either by making data available via remote access or actuallytransferring certain databases to be stored in data rooms at outsourcing partner’sfacilities. Even though the both alternatives are to be considered as a transfer, there isdifference on what kind of security requirements have to be set on the outsourcingpartner. The actual transfer of a database is a more critical case when assessing theneed of security controls and requirements.34 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.18.35 Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut, luku 5(Government proposal on Personal Data Act).36 Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 11.37 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.3.38 Case C-101-01, Bodil Lindqvist, ECR, 2003, p. I-12971, see also question 3: http://www.datainspektionen.se/in-english/in-focus-transfer-of-personal-data/#3
  • 17. 174.2 General principles on processing of personal dataData Protection Directive and national laws based on it include various requirements oncollecting and other processing of personal data that are a responsibility of thecontroller. These are briefly described below based on Finnish Personal Data Act andData Protection Directive in order to give some background information on the generalrules applicable on processing of personal data:Duty of careThe controller as well as anyone operating on behalf of the controller shall processpersonal data fairly, lawfully and carefully.Planning obligationThe controller shall plan the purposes of the processing of personal data, the regularsources of personal data and the regular recipients of recorded personal data shall bedefined before the collection of the personal data. According to Finnish Personal DataAct the result of this planning has to be expressed in a description of personal data filethat is made available to anyone.Exclusivity of purposePersonal data may not be processed in a way incompatible with the purposes definedbefore collection of the personal data.Necessity requirementThe personal data processed must be adequate, relevant and not excessive in relationto the purposes for which they are collected and processed and they may not be kept inan identifiable form longer than is necessary for the purposes for which the data werecollected or processed.Accuracy requirementThe personal data must be accurate and up to date and no erroneous, incomplete orobsolete data are to be processed.General prerequisites for processingPersonal data may be processed only if certain prerequisites for processing are met.The most relevant applicable prerequisite from the point of view of a controller providingservices or goods to customers is the connection requirement i.e. processing isnecessary for the performance of a contract or taking steps prior to entering into a
  • 18. 18contract. This applies e.g. to customers and employees of controller. However, onemust bear in mind all the other principles and requirements that have to be also fulfilledin order to comply with regulation.Other possible grounds for processing of personal data are e.g. unambiguous consentof the data subject, the processing being necessary for compliance with a legalobligation or need to protect vital interest of the data subject.Transparency principleThe controller shall provide information on processing of personal data to the datasubject such as identity of the controller, purposes of the processing of data, recipientsof the data and information on the rights of the data subject.Every data subject shall have the right to have information on processing of his/herpersonal data from the controller as well as right to have in particular incomplete orinaccurate data rectified, erased or blocked.Security of processingThe Data Protection Directive sets demands on the security of the processing not onlywhen controller itself processes data but also when processing is carried out on hisbehalf by a processor.The controller must ensure that appropriate technical and organizational measures haveto be taken to maintain security both at the time of the design of the processing systemand at the time of the processing itself. “…the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”The legislator understands that it is in general extremely hard - even impossible, withreasonable cost to accomplish a complete, bulletproof data security. Therefore thesesecurity measures shall be designed taking into account the state of the art and thecosts of their implementation in relation to the risks inherent in the processing and thenature of the data to be protected.39 The higher the risk and/or the deeper intervention tothe privacy of an individual the higher are the demands on the security.39 Personal Data Directive (95/46/EC) recital 46.
  • 19. 19If the processing of personal data is carried out by a processor on behalf of thecontroller, the Personal Data Directive also requires that the controller must choose aprocessor providing sufficient guarantees of technical and organizational securitymeasures as well as ensure compliance with those measures.40ConfidentialityPersonal data are confidential and may not be disclosed to third parties againstprovisions of applicable law.41 Any person who has access to personal data must notprocess them except on instructions from the controller, unless he is required to do soby law.42In addition to the general principles described above there are requirements onprocessing of special categories of data (e.g. sensitive data) and processing to certainspecific purposes (e.g. direct marketing, historical, statistical or scientific purposes) aswell as certain exceptions regarding for example national or public security, criminalprocedures and national defence.4.3 Transfers within Finland and the EU/EEAThe target of the Data Protection Directive is – in addition to protecting the right toprivacy – to ensure free flow of personal data within the EU. Each Member State hashad to adopt national provisions pursuant to the directive i.e. implement it into the locallaw.43 Personal data may therefore be transferred within the EU and the EuropeanEconomic area (EEA) countries on the same grounds as disclosing, transferring orotherwise submitting them within a Member State.44Transfer of personal data in outsourcing situation from controller to processor is notconsidered as a disclosure of data that would in many cases require consent from thedata subject. Processor processes the personal data only on behalf of the controller andaccording to controller’s requirements that are stipulated in an outsourcing agreement.The controller is responsible for the lawfulness of the processing and the processor forcomplying with the agreement. 4540 Personal Data Directive (95/46/EC) art 17.2.41 Finnish Personal Data Act (523/1999) 33 §.42 Personal Data Directive (95/46/EC) art. 16.43 Personal Data Directive (95/46/EC) art. 1 and 32.44 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.4.45 Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 3.
  • 20. 20Transfer of personal data to a processor within Finland or EU/EEA is possible only if thegeneral principles described in the chapter 4.2. above are fulfilled. For example the datamay not be transferred to be processed for any purpose incompatible with the purposesearlier defined by the controller. The processor is acting on behalf of the controller andtherefore cannot have any better rights to the data than the controller itself has.There are no binding model agreements or contractual clauses for transfers within aMember State or EU/EEA. However, Personal Data Directive (art. 17.3) requires that acontract or binding act has to be in place between a controller and processor. This socalled Data Transfer Agreement (DTA) must include at least the followingrequirements: a) the processor shall act only on instructions from the controller and b)the data security related obligations specified in article 17 paragraph 1, as defined bythe law of the Member State in which the processor is established, shall also beincumbent on the processor. Therefore in order to comply with regulation and to ensurethat each party understands and undertakes its responsibilities regarding processing ofpersonal data during the whole lifecycle of outsourcing relationship, it is essential toinclude terms and conditions related to processing of personal data in the outsourcingagreement or even sign a separate data protection agreement.The requirements in Personal Data Directive (art. 17.3) are implemented into theFinnish Personal Data Act 32 § as follows: “1) The controller shall carry out the technical and organisational measures necessary for securing personal data against unauthorised access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. The techniques available, the associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy shall be taken into account when carrying out the measures. (2) Anyone who as an independent trader or business operates on the behalf of the controller shall, before starting the processing of data, provide the controller with appropriate commitments46 and other adequate guarantees of the security of the data as provided in paragraph (1).”Note worth is that the Finnish Personal Data Act does not literally require a writtencontract or binding act to be in place between the parties. However, it is more thanadvisable to conclude a written DTA with an outsourcing partner also when working witha Finnish outsourcing partner.46 In Finnish: “annettava rekisterinpitäjälle asianmukaiset selvitykset ja sitoumukset“
  • 21. 214.4 Transfers to third countries from the EU/EEA4.4.1 General aspectsContrary to the transfers within the EU, the transfer of personal data outside the EU tothird countries is somewhat strictly regulated in order to ensure adequate level ofprotection. EU Justice Commissioner Viviane Reding has pointed out “protectionregardless of data location” as one of the four pillars on which peoples’ rights need to bebuilt on meaning that homogenous privacy standards for European citizens shouldapply independently of the area of the world in which their data is being processed. 47Third countries are all other countries than the EU Member States and the EuropeanEconomic Area (EEA) countries.There are two main rules that have to be complied with when considering transfer ofpersonal data to a third country: a) the personal data in question must have beencollected and processed in accordance with the national laws applicable to thecontroller established in the EU and b) the third country in question ensures anadequate level of protection or one of the derogations laid down in the directive isapplicable.48The general principles referred to in the first rule have been described already above inthe chapter 4.2. If those are not complied with, the transfer is considered illegal eventhough the second requirement of adequate level of protection is met. In particular onemust ensure that the purpose of transfer is compatible with the one for which the datawere initially collected (exclusivity of the purpose).From the point of view of a company wanting to outsource its operations to a thirdcountry the easiest option to go ahead with the transfer is that the third country is foundto provide adequate protection by Commission. If that is not the case, it may be theeasiest to use the standard contractual clauses approved by Commission to proceedwith the transfer. These and also other options to be evaluated before transferring datato a third country are described below.4.4.2 The alternative ways of proceeding4.4.2.1 Adequacy assessmentThe main principle laid down in the Data Protection Directive is that personal data maybe transferred outside of the EU or EEA countries only if the third country in question47 Reding Viviane, Speech/11/183, Your data, your rights: Safeguarding your privacy in a connected world, 16.3.2011, Brussels.The other three pillars are: right to be forgotten, transparency and privacy by default.48 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.19 – 20.
  • 22. 22ensures an adequate level of protection. The adequacy level shall be assessed in thelight of all the circumstances surrounding a data transfer operation(s). In particular oneshall consider the nature of the data, the purpose and duration of the processingoperation(s), the country of origin and country of final destination, the rules of law(general/sectoral) in force in the third country in question and the professional rules andsecurity measures which are complied with in that country.49 The adequacy of theprotection may be assessed either by a Member State according to national legislationor by Commission.The directive requires that each Member State achieves the set result, i.e. ensuresadequate level of protection in the third country, but leaves room for choice how theresult is achieved. The degree of involvement from the data protection authority in theseso called self-assessment cases varies in Member States, which may lead to the riskthat the level of protection provided in a third country is judged differently in MemberStates.50 In Finland the controller assesses the adequacy first, but must notify the DataProtection Ombudsman of such transfer who then evaluates whether the reached levelof protection is adequate.Moreover, the Commission may make a binding decision on that a certain country51ensures an adequate level of protection in which case there are no formal extrarequirements related to the transfer, but it may happen on the same grounds as withinthe EU. These so called Commission adequacy findings provide legal certainty anduniformity throughout the EU.52 The Commission adequacy findings are based on thesame criteria as explained above, but the requirements are not specified in satisfactorydetail according to Commission’s study. Therefore Commission will aim to clarify theCommission’s adequacy process and specify the assessment criteria and requirementsin more detail in connection with the ongoing revision of the EU legal framework for dataprotection.5349 Data Protection Directive Art. 25.50 European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and SocialCommittee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union,COM(2010) 609 final, 4.11.2010, Brussels, p. 15.51 Up to date list of these countries is available: http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm52 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.4.53 European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and SocialCommittee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union,COM(2010) 609 final, 4.11.2010, Brussels, p. 15.
  • 23. 234.4.2.2 Specific situations and conditionsEven though a third country does not ensure an adequate level of protection, transfer ofpersonal data may take place according to derogations laid down in the directive54, ifone of the following conditions is met:a) The data subject has given an unambiguous consent to the transfer. The consentmust be clear, voluntary, detailed and consciously given based on at least oninformation on what data, for what purpose, to whom and to what country the data willbe transferred. Mere negligence to object by an informed data subject does notconstitute an unambiguous consent.55b) The transfer is necessary for the performance of a contract between the data subjectand the controller or for the implementation of precontractual measures taken inresponse to the data subject’s request. This derogation may seem extensive, but in factit is limited by the strict interpretation of the necessity requirement. There needs to be aclose and substantial connection between the data subject and the purposes of thecontract in order to pass the necessity test. For example this derogation may not berelied upon in order to transfer data of employees from a subsidiary to the parentcompany (e.g. to centralized payment and HR functions system), since there is nosufficient link between performance of an employment contract and such a transfer ofdata.56 However, the Finnish Data Protection Ombudsman has given an opinion thatcontact information of employees of a multinational corporation may be published oncompany’s intranet in order for the employees to be reached by colleagues employedby the same company.57c) The transfer is necessary for the conclusion or performance of a contract concludedin the interest of the data subject between the controller and a third party. Just like in theprevious derogation (b) the interpretation of necessity is very narrow. The datacontroller must be able to prove that the data transfer is necessary for the performanceof the contract. For example in outsourcing situation where a company is planning totransfer employee information to an outsourcing partner located outside the EU, towhom the company is aiming to outsource its payroll management, there is not closeenough link between the data subject’s interests and contract even though the54 Personal Data Directive (95/46/EC) art. 26.1.55 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.8.56 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 13.
  • 24. 24outsourcing partner is to manage salary payments to the employees. 58 This derogationcould be applicable to transfers made in order to conclude a contract on the insuranceor health care of an employee working abroad.59d) The transfer is necessary or legally required on important public interest grounds, orfor the establishment, exercise or defence of legal claims. The regulator has intendedthis derogation mainly to situations where international exchanges of data may benecessary between tax or customs administrations or between services competent forsocial security matters. Once again the requirements are subject to strictinterpretation.60e) the transfer is necessary in order to protect the vital interest of the data subject suchas in the case of medical emergency. Vital interests refer to interests essential to the lifeof the data subject, not to economic or property related interests.61f) The transfer is made out of a public register which is open to public in general or toanyone who can demonstrate legitimate interest. This however does not allow thetransfer of the whole register or entire categories of data contained in the register, dueto the risk that the data is used to another purpose in the third country than initiallyplanned.62These exemptions from the general principle of ensuring adequate protection must beinterpreted restrictively. Their scope is intended to be narrow and to cover mainly caseswhere risks to the data subject are relatively small or where other interests override thedata subject’s right to privacy.63 Otherwise the situation would be quite risky from thedata subject’s point of view, since there may be total lack of protection in the thirdcountry or at least significantly lower level protection than in the EU.6457 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.8.58 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 14.59 Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut,yksityiskohtaiset perustelut 23 § (Government proposal on Personal Data Act).60 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 15.61 Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the PersonalData Act, Issues about data protection 1/2005, updated 16.10.2006, p.9.62 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 16.63 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 7.64 Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,2093/05/EN, WP 114, 25.11.2005, p. 6.
  • 25. 254.4.2.3 Standard contractual clauses approved by the CommissionThe Commission may decide that certain standard contractual clauses offer sufficientsafeguards with respect to the protection of the privacy and fundamental rights andfreedoms of individuals and as regards the exercise of the corresponding rights. 65Personal data may therefore be transferred to a third country that does not offer anadequate level of protection if an applicable set of standard contractual clauses is used.The target and scope of a contract in the case where personal data is transferredoutside the EU area, is much wider than in transfers within the EU. Between partieswithin the EU countries the contract as explained in Chapter 4.3 is a tool to define andagree on the responsibilities between two or more parties. However, when transferringdata to a third party located outside the EU area, the contract must provide additionalsafeguards, because the receiving party is not governed by the EU data protectionregulation. These requirements are included in the standard contractual clauses in orderto ensure adequate safeguards.66In outsourcing situation the outsourcing partner is acting as a processor and processingpersonal data on behalf a controller (the company outsourcing its activities) andaccording to controller’s instructions. The Commission has adopted an updated versionof the standard contractual clauses covering such transfers from a controller toprocessor (controller to processor clauses) on 5.2.2010. The preceding, now repealedclauses, were from the year 2002.67 The Member States must in general accepttransfers conducted by using the approved standard contractual clauses.68 There maybe differences in national laws regarding obligation to notify local authorities, but inFinland no such requirement exists.The standard contractual clauses reflect the general principles of the Data ProtectionDirective which are described in more detail under Chapter 4.2 above. The headings ofthe processor to processor – contractual clauses are the following: - Definitions The controller is referred as the data exporter and the processor as the data importer in the context of the contractual clauses. Another important term65 Data Protection Directive art. 26.2 and art. 26.4.66 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers ofpersonal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998,p. 16 – 17.67 There are two other sets of standard contractual causes approved by the Commission, but they apply to transfers from controllerto controller only (decisions Set I 2001/497/EC and Set II 2004/915/EC so called business clauses) .
  • 26. 26 included in the new set of the clauses is the sub-processor which means in brief a subcontractor of the processor (data importer) or the subcontractor’s subcontractor. - Details of transfer Details of the transfer such as data subjects, categories of data and processing operations are to be defined in an appendix. - Third-party beneficiary clause The standard contractual clauses should be enforceable against the controller and in certain cases even the processor by the data subjects e.g. when the data subject suffers damage as a consequence of a breach of the contract. 69 - Obligations of the data exporter The main responsibilities of the data exporter include ensuring that the data processing has been and will be carried out in accordance with the applicable law, continuously instructing the data importer on processing personal data according to data exporter’s instructions and law as well as ensuring compliance with the appropriate security measures. - Obligations of the data importer The main obligations of the data importer include processing personal data only according to data exporter’s instructions, warranting that no applicable legislation (e.g. local laws) do not prevent from fulfilling its obligations and implementing technical and organisational security measures. - Liability This describes the alternative ways for the data subject to receive compensation of damages resulting from the breach of the agreement. - Mediation and jurisdiction If there is a dispute between a data subject and data importer, the data subject may either choose mediation or litigation. - Cooperating with supervisory authorities68 The Member States may prohibit or suspend data flows only in the situations described in Article 4 of the Commission decisionon the standard contractual clauses (2010/87/EU).69 Commission decision 2010/87/EU, 5.2.2010, recital 19 – 20.
  • 27. 27 The supervisory authorities (i.e. national data protection authorities) may receive a copy of the agreement and also conduct an audit of the data importer and sub- processor. - Governing law The clauses shall be governed according to the laws of the Member State where the data exporter is located. - Variation of the contract The standard contractual clauses approved by the Commission may not be changed or modified by the parties. However, the parties may add business related issues to the agreement as long as they do not contradict the standard contractual clauses or prejudice fundamental rights or freedoms of the data subjects. If other modifications or alterations are made to the clauses, they no longer are treated as the standard contractual clauses benefiting from the special treatment, but fall under the situation described above in Chapter 4.4.2.1 where the data exporter on case-by-case basis adduces adequate safeguards as assessed by the national authorities.70 - Sub-processing In many cases the processor in a third country needs to further transfer the data received from a controller located in the EU to another processor located outside the EU (e.g. to a subcontractor). This new set of standard contractual clauses includes clauses also on these subsequent onward transfers that occur outside the EU area thus making the data transfers to international actors less bureaucratic. The sub-processing clauses aim to ensure that the personal data being transferred continue to be protected notwithstanding the subsequent transfer to a sub-processor.71 These clauses do not apply to a situation where a processor located in the EU transfers personal data to a sub-processor located in a third country.72 - Obligation after the termination of personal data-processing services The parties agree on returning or destroying of personal data as well as confidentiality after the agreement is terminated.70 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p. 28.71 Commission decision 2010/87/EU, 5.2.2010, recital 17.72 Commission decision 2010/87/EU, 5.2.2010, recital 23.
  • 28. 284.4.2.4 Adequate safeguards adduced by the controllerInstead of taking advantage of the standard contractual clauses described above, acontroller may itself offer adequate safeguards with respect to the protection of privacyand rights of individuals. These may be e.g. self-drafted contractual clauses directed atone specific case that are authorised by the national data protection authority.
  • 29. 295 Outsourcing lifecycle and data protectionOutsourcing lifecycle can be divided into four phases: preparation, implementation,operation and review.73 These four phases are assessed below especially from theviewpoint of transferring of personal data.5.1 Preparation phaseThe target of the preparation phase is to create a business case and agree in generalwithin the company that outsourcing is the way forward. In the latter part of this phasethe outsourcing partner is chosen and agreements negotiated.5.1.1 Developing the business caseIt is often easy to focus on the benefits of outsourcing such as cost-savings, increasecompetence and efficiency. However, when creating a business case, it is as importantto evaluate additional process and administration costs that may be caused due tospecific requirements applying to the outsourcing object as well as risks. Moreover,sometimes the outsourcing becomes an end in itself while the targets to be achievedremain unclear. Without a comprehensive understanding of the whole outsourcing case,its goals and risks, it is impossible to make an enlightened decision on whether tooutsource or not .The risks to consider may relate e.g. to following aspects74: - Country risks: e.g. the cultural, environmental, political, infrastructural and regulatory issues as well as distance. - Company risks: e.g. how mature security level is adopted in the company and how security is governed. - HR risks: e.g. what is the competence and awareness level of employees. - Data risks: e.g. ensuring confidentiality, availability and integrity. - Deliverables risks: e.g. reliability of hardening and delivery methods.It should be kept in mind that the risk of outsourcing is the additional risk compared withthe risk of taking care of the operations to be outsourced locally by the company itself,not the total risk.In most cases outsourcing involves transfer of personal data to the outsourcing partner,either actual transfer to the partner’s data room or giving a remote access to the73 Information Security Forum, Information risk management in outsourcing and offshoring, January 2008, p. 3.
  • 30. 30company’s systems. It is essential to identify the criticality of the data and datacategories as well as specific requirements related to them. The requirements may berooted in regulation, customer agreements or company’s own policies (e.g. dataclassification and handling instructions) and risk appetite. The data may include e.g.personal data, traffic data or even content of communications that may be processedonly according to applicable EU and national legislation or there may be certainrestrictions related to customer data in certain customer agreements e.g. prerequisiteson by whom and where data may be processed. One must also bear in mind theprinciple of exclusivity of purpose laid down in the Personal data directive prohibitingprocessing of personal data in a way incompatible with the purposes defined beforecollection of the personal data as well as other general principles.75In addition to the risk analysis, it is advised to perform also a business impactassessment, whose result shows a possible impact for the company if information isimproperly exposed, changed or made unavailable. Even though the legal prerequisitesof transferring all kinds of personal data to third countries are equal, there may be quitedifferent business impact, if “only” names of customers are processed unauthorizedcompared to situation where the confidentiality of personal ID, medical records, trafficdata (e.g. information on communication or location of the subscription) or maybe evencontent of communication (e.g. e-mail messages) is compromised. The controls andadditional requirements should be created and decided based on the analysis and thecriticality of the information taking into account company’s own risk appetite as well aspossibilities to mitigate risks.As described before the EU regulation allows the transfer of personal data also suchcountries that are not deemed to have adequate protection or the level of protection isnot yet assessed by the Commission. In such cases transfer may occur e.g. whenstandard contractual clauses approved by the Commission are used. This means thatthe EU regulation does not impose a show stopper, however the risk analysis performedby the company planning to outsource operations to a third country may suggest thatthe situation in certain countries or on a specific area of a country is such that the risks74 Based on the presentation of Britt Amundsen Hoel, CSO, Telenor Norge AS, High risk –low cost -going offshore,ISF annualconference in Monaco, 2010.75 According to the Finnish Personal Data Act 10§ the controller must state in the description of a personal data file whetherpersonal data is to be transferred outside EU area. The description of file may date back to time when outsourcing was notconsidered or even that common and thus state that personal data is not transferred outside EU. It is uncertain how the descriptionof file may be later changed if the original version denies the transfers. One way of proceeding with the change is to consider thedescription as a part of the agreement and change it according to the same princibles as the agreement could be changed. That isoften a very time consuming process. Therefore it is critical to identify data files in question and then check what the description ofpersonal data file states on the issue already in an early stage of the process.
  • 31. 31overstep the risk appetite of the company i.e. the country risk assessed by the companyis too high to be reasonable mitigated by contract or other means. Even though theregulation would support and allow transfer of personal data, it is not always wise basedon company’s own risk and business impact assessments.5.1.2 Choosing the partnerPersonal data, whether it relates to customers or employees, are in many ways verycritical assets of a company. It is easy to lose reputation and confidence, but gaining itback is most often an extremely long and rocky road. The security aspects are thereforeby no means insignificant when the outsourcing partner is chosen.Security related requirements and questions should be included as a part of theRequest for Proposal (RFP) sent to the potential vendors. The answer to RFP gives astarting point for evaluation of the partner’s capabilities. However, one should not relyonly to the information given in the offer, but try to validate also by other means that theinformation given is reliable and not only commercial marketing statements.Validating the third party security is not an easy task to perform. Information SecurityForum provides a “Security health check” –tool, a self-assessment tool that can be usedto evaluate if an outsourcing partner fulfills the set requirements or not. It can be usedas a self-assessment tool, however, one must keep in mind that the results are notobjective, but instead based on the vendors’ own subjective views. The questionnaire ismade up of 208 high-level information security questions that are presented in a macro-enabled Microsoft Excel spreadsheet.76 Another indicator that can be helpful is that thepartner has a certificate (e.g. ISO 27001) that covers the part of the partners’ processesthat is used to provide the services. Even though e.g ISO 27001 certificate may notassess all the aspects relevant to a specific outsourcing activity, it gives at least ageneral implication that the partner has an appropriate information securitymanagement system in place. When establishing a business relationship with acompletely new partner that has no proof of its security level (e.g. no certificates), it maybe wise to audit the partner on site, especially if the operations to be outsourced arecritical and/or lead to transferring critical information to the partner. Once again it’s aquestion of risk evaluation and mitigation.Ever increasing amount of services are provided from a cloud. When choosing anoutsourcing partner and a solution, it is important to get a clear view on whether a cloud76 Information Security Forum: Security healthcheck, available for ISF members at www.securityforum.org
  • 32. 32is used and if so what kind of cloud is in question (private/public). Moreover whenpersonal data is to be transferred to a cloud, it is essential to understand where the datais located, who are able to process it and how information security aspects are takeninto account. There are no “cloud-specific” privacy regulations, but all the same rulesthat have been described in this paper regarding processing and transferring personaldata apply to cloud based processing of personal data. For example if the cloud islocated outside the EU/EEA there adequate level of protection must be guaranteed byone of the means explained earlier.5.1.3 Agreeing with the partnerWhen the vendor has been chosen and the business agreement (outsourcingagreement and service agreement) is under negotiations, it is crucial to remember toinclude security requirements in the negotiations. Usually a frame agreement thatcovers all general terms and conditions of the vendor relationship is concluded first andthen a separate agreements regarding each assignment are signed.It is essential to cover at least the following aspects regarding processing personal datain the agreements: Non-Disclosure Agreement (NDA) if it is not signed already during the partner evaluation. Data transfer agreement as explained in chapter 4.3 if personal data is transferred within EU/EEA. Standard contractual clauses as explained in chapter 4.4.2.3 if personal data is transferred to a processor located in a third country (outside EU/EEA) and there is no Commission adequacy finding regarding the country in question or other means specified in Data Protection Directive to ensure the adequacy of the protection. Other relevant security requirements and controls based e.g. on risk/business impact assessment, regulation, adopted standards, company’s internal instructions and customer demands. However, it is good to acknowledge that many vendors provide services to various companies located around the world and placing additional requirements above e.g. the EU regulation level may add the costs, because the vendor has to stretch to a customer specific solution. Description of common processes and practices related to e.g. access, incident, risk, crisis and business continuity management, auditing of the vendor as well as
  • 33. 33 responsible persons on each area. It is good to prepare for crisis and worst case scenarios and define roles, responsibilities and processes related to those as well as test them to the degree possible. Consequences and sanctions of a breach of the agreement e.g. in a situation where confidentiality or integrity of personal data has been compromised. Exit procedures that aim to prevent locking-in to one vendor and enable seamless as well as secure exit at the end of the partnership.5.2 Implementation phaseThe target of the implementation phase is to manage the transfer of the operations tothe outsourcing partner as seamlessly as possible. This phase starts with planning e.g.creating migration plans as well as adapting business, security and support processesand ends when the operations are up and running at the outsourcing partner.From the personal data point of view it is crucial to plan the transfer of the personaldata; how it is performed in a secure way or if access to data stored in company’ssystems is to be granted to the employees of the outsourcing partner the accessmanagement process has to be agreed and access rights granted accordingly. Thecompany needs to also agree with the outsourcing partner how the employees aretrained to process personal data according to the requirements set in the agreement.5.3 Operation phaseOperation phase lasts as long as the company continues to source services from theoutsourcing partner. This phase requires active support, maintenance and auditactivities from the company including performing regular security reviews and follow upsto validate the compliance and current state of the partner organization. A significantrisk is that the case is considered closed after the implementation phase and thecompany lacks sufficient resources and interest in supervising the partner and workingin co-operation. However, one must bear in mind that the company continues to beresponsible for complying with applicable regulation even after the processing ofpersonal data is transferred to the outsourcing partner. Therefore also from the riskmanagement perspective it is advisable to regularly interact with the partner andmanage the partnership e.g. through meeting and reporting structure.7777 Information Security Forum: Information risk management in outsourcing and offshoring, January 2008, p. 25.
  • 34. 345.4 Review and Exit phaseThe longer the outsourcing partnership lasts the more probable it is that therequirements (e.g. regulation) are changed such a manner that it has effect also toprocessing of data by the outsourcing partner. The parties must establish a way ofcommunicating and handling such operative changes as a part of daily business.However, sometime along the way it comes a time to review the partnership and decideon the future. That phase can be called as review phase and it may lead to exit if theparties cannot agree on the future terms of the partnership.The whole lifecycle of outsourcing and data processing should be taken into accountalready in the preparation phase and a preliminary plan for exit should exist also on theagreement level. When the agreement is terminated, the company must ensure that theoutsourcing arrangement is taken down in a controlled way in order to avoid anydisturbances of business or breaches of applicable regulation and other requirements.As a result of a seamless exit process the operations are either transferred back to thecompany or to another outsourcing partner.
  • 35. 356 ConclusionsOutsourcing at its best brings efficiency, flexibility, increased knowhow and cost savingsto the companies. However these benefits are not given for free, but instead it takes ahuge amount of preparation, actual implementation work, maintenance and follow up tomake it work securely, seamlessly and in compliance with internal and externaldemands. It is easy to concentrate on the benefits of the outsourcing and underestimatethe risks and amount of work it takes from the company itself before and also after theactual transfer of operations has taken place. Outsourcing is not one time event, but acontinuous relationship with the vendor (outsourcing partner) that lasts as long as theagreement is valid.The concept of personal data is interpreted so widely that the data protection andprivacy aspects have to be taken into account nearly in all outsourcing cases. Thecurrent regulatory framework regarding processing and transferring personal datacontains a set of basic tools enabling companies to carry out outsourcing activities.Even though the framework can be seen such that it supports outsourcing, it may notalways be consistent and easy to interpret or implement in practice. The more countries(and therefore also the more legal frameworks) there are in question the more complexthe situation grows. The responsibility for complying with applicable laws remains withthe data controller (the company outsourcing its operations) no matter where thepersonal data is transferred to. This can lead to difficult challenges if the legalframework in the country where the data processor (the outsourcing partner) is locateddiffers dramatically from level of protection established within the EU. The risks can bemitigated to a certain degree by well-prepared agreements and follow-up activities,however, if the legal stability in a country is somewhat compromised, it can be hard toexecute the rights granted by an agreement, no matter how watertight it is. Moreover itis not possible to precede the national laws and authority of the local authorities just byan agreement between the outsourcing parties.At the moment some conflicts of law may arise also on the EU level, since MemberStates have chosen slightly different ways to implement the EU directives. TheCommission intends to review and clarify the provisions regarding applicable law in theconnection with the overall review of the data protection regulation, which developmentis welcome improvement to the current state. The target is to achieve full harmonizationby using a regulation as a strong legal instrument. Alarming is that the technicaldevelopment and related business models are developing so fast that the regulator is
  • 36. 36always many steps behind. The concepts that have been suitable to use in moretraditional outsourcing situations are too bureaucratic or impossible to deploy e.g. incloud computing situations.Many times the threat of losing reputation and brand value is often even more severethan the legal risks. A simple incident that compromises for example the confidentialityof customer data may cause the customers to choose another service provider.However, it can also be argued that outsourcing itself does not self-evidently increasethe risks compared to situation where the operations are taken care in-house, sincethere is always certain risks present related to confidentiality, integrity and availabilityeven when the company itself takes care of the operations. It’s all about identifying andevaluating threats and risks and mitigating them to the degree reasonably possible andrealistic e.g. by setting controls and following them up.Data protection and privacy is not something one can put as a responsibility for a oneperson or unit. It is not something that the Legal Affairs or Sourcing unit just fixes bydrafting agreements amongst themselves. Requirements related to processing andtransferring personal data have to be identified, evaluated, implemented and followedup during the whole outsourcing life cycle and implemented into the processes just likeany other aspects related to the co-operation.
  • 37. 37BIBLIOGRAPHYAmundsen Hoel Britt, CSO, Telenor Norge AS, Presentation High risk – low cost -going offshore, ISFannual conference in Monaco, 2010.Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004.Consolidated version of the Treaty on European Union, Official Journal (“OJ”)) of the European Union C83.Commission decision on standard contractual clauses for the transfer of personal data to processorsestablished in third countries under Directive 95/46/EC of the European Parliament and of the Council,2010/87/EU, 5.2.2010.Communication from the Commission to the European Parliament, The Council, The Economic andSocial Committee and the Committee of the Regions, A comprehensive approach on personal dataprotection in the European Union, COM(2010) 609, Bussels, 4.11.2010.Consolidated version of the Treaty on the Functioning of the European Union, OJ C 83. Directive95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard tothe processing of personal data and on the free movement of such data, OJ L281.Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning theprocessing of personal data and the protection of privacy in the electronic communications sector, OJ L201.European Commission, Proposal for a regulation of the European parliament and of the Council on theprotection of individuals with regard to the processing of personal data and on the free movement of suchdata (General Data Protection Regulation), version 56, 29/11/2011.European Convention for the Protection of Human Rights and Fundamental Freedoms.European Court of Justice, Case C-101-01, Bodil Lindqvist, ECR, 2003.Finnish Personal Data Act (523/1999).Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998)yksityiskohtaiset perustelut (Finnish Government proposal on Personal Data Act).Information Security Forum, Managing the Information Security Risks from Outsourcing (full report),October 2004.Information Security Forum, Information risk management in outsourcing and offshoring, January 2008.Information Security Forum: Security healthcheck.Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteisettietojärjestelmät, verkottuminen ja niihin liittyvät sopimukset, 27.7.2010.Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign CountryAccording to the Personal Data Act, Issues about data protection 1/2005, updated 16.10.2006.Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-tablehigh level conference on Mobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011.Reding Viviane, Your data, your rights: Safeguarding your privacy in a connected world, Speech/11/18,316.3.2011, BrusselsWorking Party (WP) on the Protection of Individuals with regard to the Processing of Personal Data,Working Document Transfers of personal data to third coutries: Applying Articles 25 and 26 of the EUdata protection directive, DG XV D/5025/98, WP12, 24.7.1998.Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007.Working Party, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24October 1995, 2093/05/EN, WP 114, 25.11.2005Working Party, Working document on data protection issues related to RFID technology WP 105,19.1.2005.
  • 38. 38Web-pagesDatainspektionen,Transfer of personal data to a third country, http://www.datainspektionen.se/in-english/in-focus-transfer-of-personal-data/#3European Comission, What are EU directives?,http://ec.europa.eu/eu_law/introduction/what_directive_en.htm Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries;http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdfTowards Cloud Computing Strategy;http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm