Out-Law News 3 min. read

Processors liable for some sub-processor data rule breaches, say watchdogs


Personal data processors in the EU are liable for any breaches of binding corporate rules (BCRs) by sub-processors based outside the trading bloc and may be responsible for settling any compensation claims by individuals whose rights have been affected, an EU privacy watchdog has said.

The Article 29 Working Party has drawn up a new checklist (11-page / 63KB PDF) for personal data processors explaining the conditions that must be met by those organisations when they agree to BCRs. The Working Party is a committee made up of representatives from the 27 data protection authorities in EU member states.

In its 'working document', adopted earlier this month, the Working Party said that organisations in control of personal data can contract with other organisations in order to arrange for that information to be processed. Those processors can, it said, form BCRs if they wish to conduct that processing outside of the European Economic Area (EEA). However, the processors are liable for any breaches of those rules that may occur, it said.

"The BCR must contain a duty for the EU headquarters of the processor or the EU Member of the Processor with delegated responsibilities or the EU exporters processor (e.g. the EU contracting party with the controller) to accept responsibility for and to agree to take the necessary action to remedy the acts of other members of the BCR established outside of EU or breaches caused by external sub-processor established outside of EU and to pay compensation for any damages resulting from the violation of the BCR ," the Working Party said.

"This member will accept liability as if the violation had taken place by him in the member state in which he is based instead of the member of the group outside the EU or the external sub-processor established outside of EU. This member may not rely on a breach by a sub-processor (internal or external of the group) of its obligations in order to avoid its own liabilities," the watchdog said.

"In case no member of the BCR Processor is established in the EU, the Headquarter of the group will take this liability (located outside of the EU). In this case, data subjects and data controller shall be entitled to lodge a complaint before the [data protection authority] or Courts of their place of residence/establishment," it added.

EU-based processors can avoid being liable for any breaches of BCR under certain circumstances, but the burden of proof is on them to demonstrate that those circumstances apply, the Working Party said.

"BCR must state that where data subjects or Data controller can demonstrate that they have suffered damage and establish facts which show it is likely that the damage has occurred because of the breach of BCR, it will be for the member of the group that accepted liability to prove that the member of the corporate group outside of Europe or the external sub-processor was not responsible for the breach of the BCR giving rise to those damages or that no such breach took place," it said.

"If the entity that has accepted liability can prove that the member of the group outside the EU is not responsible for the act, it may discharge itself from any responsibility," the watchdog added.

Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.

One mechanism open to companies to achieve those 'adequacy' standards is to put in place binding corporate rules. BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the EEA to a country that is not a European Commission pre-approved country.

At the moment BCRs must be approved by data protection authorities in each EU member state where personal data may be internationally transferred from, but under planned reforms to the EU data protection framework BCRs approved by one regulator will apply in all other EU countries.

The Article 29 Working Party's checklist also outlines what data protection safeguards must be written into BCRs that would govern processors' activity in relation to personal data. The safeguards that should be written into BCRs include an explanation of the purpose of processors' personal data processing as well as the security measures that processors should have to adopt to prevent data breaches, it said.

"The working document aims to meet the expectations of companies acting as data processors by giving them the possibility to make use of BCR in the context of international transfers of personal data, for example in the context of outsourcing activities or cloud computing," the Working Party said in a statement.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.