outsourcing and transfer of personal data - titta penttilä - teliasonera

OUTSOURCING AND TRANSFER OF PERSONAL DATA

7. Information Security Training Program Aalto University/ Aalto Pro 16.01.2012 Titta Penttilä

2

SUMMARY

Author

Titta Penttilä, LL.M.,

Senior Security Manager

[email protected]

Date and place

16.1.2012, in Helsinki, Finland

Course

Aalto University / AaltoPro: 7. Tietoturvallisuuden koulutusohjelma

(7. Information Security training program)

Title

OUTSOURCING AND TRANSFER OF PERSONAL DATA

Outsourcing of business activities within EU and also to third countries is becoming a

natural part of today’s business operations. The concept of personal data is very wide

and therefore the aspects regarding transfer of personal data are relevant in most of the

outsourcing cases.

Personal data directive from the year 1995 forms the current foundation of regulation in

the EU Member States. The first part of this study concentrates on the description of the

regulative framework and the second part gives more practical information on taking

personal data aspects into account on each phase of outsourcing activity.

Search words: Outsourcing, personal data, privacy, data protection

3

Table of contents

1 Introduction .............................................................................................................................. 4 2 Regulation ............................................................................................................................... 5

2.1 Fundamental rules of European Union .............................................................................. 5 2.2 European Union directives ................................................................................................ 6 2.3 Commission decisions, opinions and recommendations of the Working Party ................... 6 2.4 Finnish regulation .............................................................................................................. 7 2.5 Applicable law ................................................................................................................... 7 2.6 The new legal framework for the protection of personal data in the EU ............................. 8

3 Terminology ........................................................................................................................... 11 3.1 Personal Data ................................................................................................................. 11 3.2 Outsourcing ..................................................................................................................... 13 3.3 Controller ......................................................................................................................... 14 3.4 Processor ........................................................................................................................ 15

4 Transfer of personal data from controller to processor ........................................................... 16 4.1 What determines a transfer of personal data? ................................................................. 16 4.2 General principles on processing of personal data .......................................................... 17 4.3 Transfers within Finland and the EU/EEA ........................................................................ 19 4.4 Transfers to third countries from the EU/EEA .................................................................. 21

4.4.1 General aspects ........................................................................................................ 21 4.4.2 The alternative ways of proceeding ........................................................................... 21

4.4.2.1 Adequacy assessment ....................................................................................... 21 4.4.2.2 Specific situations and conditions ....................................................................... 23 4.4.2.3 Standard contractual clauses approved by the Commission ............................... 25 4.4.2.4 Adequate safeguards adduced by the controller ................................................. 28

5 Outsourcing lifecycle and data protection ............................................................................... 29 5.1 Preparation phase ........................................................................................................... 29

5.1.1 Developing the business case ................................................................................... 29 5.1.2 Choosing the partner ................................................................................................ 31 5.1.3 Agreeing with the partner .......................................................................................... 32

5.2 Implementation phase ..................................................................................................... 33 5.3 Operation phase .............................................................................................................. 33 5.4 Review and Exit phase .................................................................................................... 34

6 Conclusions ........................................................................................................................... 35 BIBLIOGRAPHY

4

1 Introduction

Outsourcing of business operations or functions has become an increasingly growing

trend and a natural part of today’s business operations. When considering outsourcing

information security and privacy aspects are an essential part, since outsourcing nearly

always involves transfer of information to the outsourcing partner. Most of the time

information includes also personal data (e.g. concerning customers or employees).

Processing and transferring personal data is regulated on the European Union (EU) and

national level. One major issue when planning outsourcing is to understand the

demands of regulation and risks involved. When operating on national or even EU level

the concept is rather clear, but if operations are outsourced outside of the EU to so

called third countries the legal requirements are much more complex and leave room for

interpretation.

In this study my target is to first describe the regulatory background, requirements and

possible ways to go forward and then take more practical view on how transfer of

personal data to an outsourcing partner should to be taken into account in each phase

of the outsourcing lifecycle. The first part is mainly based on literature and official EU

documents and the more practical latter part includes also information based on my own

experiences as legal counsel and senior security manager.

Since my aim is to cover outsourcing situations, I have limited the scope to include only

transfers of personal data from a controller to a processor (i.e. from a company to an

outsourcing partner that processes personal data on behalf of the company in question)

and I won’t be looking into issues related to the controller- to-controller or intra-company

transfers (e.g. Binding Corporate Rules). In addition I am looking into the issue from the

EU perspective and only including aspects related to transfers originating from the EU

i.e. transfers within a Member State, to another Member State or to a third country and

using Finland as an example.

The main emphasis is put on the EU level regulation, since that forms the basis on

regulation in all Member States already now and even more strongly in the future. There

is a comprehensive EU data protection law reform currently on going in the EU, which

will also have an impact on the transfer of personal data in outsourcing cases. I have

therefore included a brief glance on the future regulation proposal. The perspective of

this study is juridical and administrative, therefore no technical aspects are covered.

5

2 Regulation

2.1 Fundamental rules of European Union

The European Union is founded on two constitutive treaties: the Treaty on European

Union and the Treaty on the Functioning of the European Union, which both have the

same legal value.

The Treaty on the Functioning of the European Union organizes the functioning of the

Union and determines the areas of, delimitation of, and arrangements for exercising its

competences1 and it includes also provisions related to protection of personal data.

Article 16 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.

As referred to in the above mentioned article 16 the Treaty on European Union states

that the Council shall adopt a decision laying down the rules relating to the protection

of individuals with regard to the processing of personal data by the Member States

and the rules relating to the free movement of such data.2

Moreover, the protection of personal data is stated as one of the fundamental rights and

commonly shared values adopted in the Charter of Fundamental Rights of the

European Union (2010/C 83/02) 3 recognized in the Treaty on European Union.4

Article 8, Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

The Treaty on European Union also declares that the Union shall accede to the

European Convention for the Protection of Human Rights and Fundamental Freedoms,5

1 Official Journal of the European Union C 83: Consolidated version of the Treaty on the Functioning of the European Union,

art. 1 2 Official Journal of the European Union C 83, art. 39

3 Official Journal of the European Union C 83, p. 389

4 Official Journal of the European Union C 83: Consolidated version of the Treaty on European Union, art. 6

5 Official Journal of the European Union C 83/19: Consolidated version of the Treaty on European Union, art. 6

6

which includes also a principle that everyone has the right to respect for his private and

family life, his home and his correspondence.6

The protection of the personal data and personal life is therefore regulated on a

fundamental level in many different binding European Union regulations, which may be

overlapping. However, they aim towards the same target: ensuring protection of

personal data.

2.2 European Union directives

The EU directives describe a target that must be achieved in every Member State, but

each Member State may choose how it implements the directive in the national law.7

The Data Protection Directive was adopted in October 1995. The Directive has a

twofold objective derived from the targets of the European integration: to ensure a free

flow of personal data from one Member State to another and on the other hand to

safeguard the fundamental rights (i.e. right to privacy and data protection) of

individuals.8

In principle the directive applies to all processing of personal data. It includes rather

detailed provisions on the lawfulness of the processing personal data, juridical

remedies, liability and sanctions as well as on transfer of personal data to third

countries, which will be described later in the chapter 4.4.

European Commission is preparing a revision of the legal framework for data protection

to meet the new demands of rapid technological developments and globalization that

have changed the world and thus brought new challenges. 9 The aim is to propose a

new General Data Protection regulation that is briefly described later in the chapter 2.6.

There are also other more sector specific directives such as Directive on privacy and

electronic communications that concerns processing of personal data in the electronic

communications sector.10

2.3 Commission decisions, opinions and recommendations of the Working Party

The Commission decisions relevant in the context of this study are:

6 European Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8

7 European Comission, http://ec.europa.eu/eu_law/introduction/what_directive_en.htm

8 OJ L281, Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to the

processing of personal data and on the free movement of such data, art. 1. 9 Communication from the Commission to the European Parliament, The Council, The Economic and Social Committee and the

Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609, Bussels, 4.11.2010, p.2. 10

OJ L 201, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of

personal data and the protection of privacy in the electronic communications sector.

7

- findings on an adequate level of protection in certain third countries.

- standard contractual clauses sufficient in safeguarding the adequate level of

protection when transferring personal data to third countries.

These are described in more detail later in Chapters 4.4.2.1 and 4.4.2.3.

A working party is set up based on the Personal Data Directive. It is composed of

national data protection authorities, representatives of the Community institutes as well

as a representative of the Commission. The Working party has an advisory status and it

may make recommendations on all matters relating to the protection of persons with

regard to the processing of personal data in the EU.11

2.4 Finnish regulation

The Constitution of Finland (731/1999) guarantees the right to privacy.

Section 10 - The right to privacy Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.

Finland has implemented the Personal Data Directive by adopting the Personal Data

Act (523/1999), which entered into force in June 1999. The new act replaced the former

Personal Data File Act from the year 1988, but the main principles remained the same.

Other focal more sector specific privacy laws are Act on the Protection of Privacy in

Electronic Communications (516/2004), which was enacted based on the Directive on

privacy and electronic communications as well as Act on the Protection of Privacy in

Working Life (759/2004), whose target is to promote the protection of privacy and other

basic rights safeguarding the protection of privacy in working life.

2.5 Applicable law

The general rule is that the law of the Member State where the controller is located is

applied to the processing of personal data regardless of where or by whom the data is

processed.12 In outsourcing situations the company outsourcing its operations stays in

control of the data and the outsourcing partner may process the data only on behalf of

the company and according to its instructions. Therefore the company remains as the

controller and the outsourcing partner is a processor, which means that the law of the

Member State where the company outsourcing its operations is located is applied even

when the processing is performed by an outsourcing partner in another Member State

11

Personal Data Directive art. 29 and art 30. 12

Personal Data Directive, art. 4.

8

or in a third country. Moreover the transfer of data does not free the controller from its

obligations, instead the controller will continue to be liable under that Member State law

for any damage caused as a result of an unlawful processing of personal data. The

controller may however be able to recover losses in a separate legal action against the

processor based on the outsourcing agreement.13

Notwithstanding the general rule presented above there can be requirements in the law

of the country, where the processor is located, that may override the national law of the

controller, thus enabling disclosure of personal data to the state e.g. to the police.

Within the EU this possibility is restricted to those disclosures that are necessary in

democratic societies for one of the “ordre public” reasons stated in the Personal Data

Directive. However in the third countries similar restrictions may not be in place.14

The rules of applicable law are not always clear and there is an unfortunate possibility of

conflicts of law especially when many Member States are concerned (e.g. a

multinational company established in several Member States provides services). Ever

increasing globalization and technological developments also add to the complexity.

Commission has stated that it will examine how to revise and clarify the existing

provisions on applicable law in order to improve legal certainty and clarify Member

State’s responsibility. The ultimate goal is to provide the EU citizens the same degree of

protection regardless of the geographic location of the data controller.15

2.6 The new legal framework for the protection of personal data in the EU

A draft version of the proposal for the new General Data Protection Regulation was

leaked in the beginning December 2011, even though it was supposed to be published

not until January 2012. Since the official proposal is not available when writing this

paper, I refer below to the unofficial draft.

Contrary to the current Personal Data Directive the new framework is to be based on a

regulation and is therefore directly applicable without national implementation. The main

challenges with the current framework have not been its objectives or principles that are

still to remain quite the same, but fragmentation of the implementation across the

13

Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of

personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 18 – 19 and p. 21. 14


personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 21. 15

European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social

Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 11.

9

Member States and legal uncertainty added by rapid technological development and

ever increasing global business activities. The proposed regulation is aimed tackle the

current challenges by introducing a solid and strong foundation for data protection and

moving towards full harmonization. 16

The main issues of the data protection reform as described by Viviane Reding, the EU

Justice Commissioner, are the following:

- Increased transparency demand and control of the citizens regarding their

personal data.

- Privacy by design meaning that services should include built-in privacy features.

- Obligation to notify of data breaches to authorities and users (previously set only

to telecom operators).

- Right to data portability meaning that users should not be locked-in to a certain

service, but the service provider must enable transfer of user’s personal data to

another service.

- Making the EU legal framework simplier to the businesses by eliminating

unnecessary costs and administrative burdens and creating a level playing field

for the companies.

- Supporting the international transfers so that there is one single set of rules for

transfers of personal data to third coutries and no additional national conditions.

- Emphasizing the importance of trust and encouraging innovations.17

The new draft regulation clarifies to a certain degree the applicable law issue in

outsourcing situations. Within the EU the new regulation would harmonize and unify the

rule set in different Member States since local differences within the scope of the

regulation would no longer accepted due to its direct application nature. However, how

much room of interpretation is left for the national authorities and what is the role of the

new European Data protection Board will remain to be seen.

Moreover, “all processing of personal data in the context of the activities of an

establishment of a controller or a processor in the Union should be carried out in

accordance with this [new] regulation, regardless of whether the processing itself takes

16

European Commission, Proposal for a regulation of the European parliament and of the Council on the protection of individuals

with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), version 56, 29/11/2011, Explanatory memorandum, p.3.

10

place within the Union or not”.18 It is thus clearly stated that personal data shall continue

to be subject to EU regulation even though it is prosessed in a third country.

The main elements of transfer of personal data to third countries are to remain similar to

the current ones. The transfer may be based on an adequacy decision made by the

Commission and the proposal clarifies the matters that the Commision needs to take

into account when making a such assessment. If an adequacy decision does not exist,

the transfer may happen by way of introducing appropriate safeguards e.g. using

standard data protection clauses adopted by the Commission. As today there is also the

third alternative to rely on specific degorations stated in the proposed regulation.

A new approach is that the concept of binding corporate rules - that so far has been a

possible tool when transferring personal data within a group of companies - is now

proposed to be broadened to cover also a group of undertakings and its members. 19 It

is uncertain whether an outsourcing relationship could be considered to form such a

group of undertakings that is meant by the proposed regulation.

Unfortunately, the new proposal does not seem to bring concrete answers or solutions

to new international phenomena such as cloud services. The interest has so far been

more towards protecting citizens rights than enabling companies to take advance on the

cloud computing possibilities. However, there will be a European Cloud Computing

Strategy launced during year 2012 that covers also the legal framework related

matters.20

17

Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-table high level conference on

Mobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011. 18

General Data Protection Regulation draft, recital 13. 19

General Data Protection Regulation draft, Art. 40. 20

Towards Cloud Computing Strategy; http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm

http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm

11

3 Terminology

3.1 Personal Data

It is critical to understand the concept of the personal data in order to interpret the

applicable legislation and comply with it. The Data Protection Working Group has

scrutinized the concept in its opinion 4/2007, which is described below.

According to Data Protection Directive (95/46/EC) “the personal data shall mean any

information relating to an identified or identifiable natural person (“data subject”);

an identifiable person is one who can be identified, directly or indirectly, in particular by

reference to an identification number or to one or more factors specific to his physical,

physiological, mental, economic, cultural or social identity”.

The purpose of the Data Protection directive is to protect the fundamental rights and

freedoms (especially privacy) with regard to the processing of personal data. The

definition is intended to be broad and cover as a general rule any kind of information

that can be in a way or other related to an identified or identifiable person.21

The definition can be divided into four separate requirements that together form the

concept of personal data. First of all the definition refers to “any information”, which

clearly shows the intention of broad interpretation. The information may be subjective

information such as opinions and assessments (e.g. hard working, reliable payer) as

well as objective information (e.g. blood type) by nature. The information considered

personal data may even be false. Moreover the content of the information may be any

sort relating to the private, family or working life. From the point of view of the format or

where the information is stored, there are no limitations either. The information may e.g.

be alphabetical, numeral, stored on a computer hard drive or a video tape. Even a

sound (e.g. phone call recordings), image (e.g. video surveillance recordings) or

biometric data (e.g. fingerprints, vein patterns, behavioral characteristics such as a

particular way to walk or speak) is within the scope.22

Secondly the information has to “relate to” a person. Data relates to an individual if it

refers to the identity, characteristics or behavior of an individual or if such information is

used to determine or influence the way in which that person is treated or evaluated.23 In

order to consider information to relate to an individual three alternative elements can be

distinguished: content – information is given about a particular person (e.g. medical

21

Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 4. 22

Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 6 – 9. 23

Data Protection Working Party, Working document on data protection issues related to RFID technology WP 105, 19.1.2005, p. 8.

12

results relate to the patient), purpose – information is used or is likely to be used with

the purpose to evaluate, treat in a certain way or influence the status or behavior of an

individual, or result – information is likely to have an impact on a certain person’s rights

and interests. It is enough to have one of these alternative elements present. However,

a simplified general rule that can be used as a good starting point when assessing

whether or not information relates to an individual is that information which is about an

individual also relates to that individual.24

The third requirement is that the information relates to a natural person that is “identified

or identifiable”. As a general rule a person is identified when, within a group of persons,

the person is distinguished from all other members of the group. The context and

circumstances determine when certain identifiers are sufficient to achieve identification

(e.g. a common family name rarely is enough to identify person unless the group is

small, for example Penttilä from Corporate Security of TeliaSonera). An individual may

be identified directly, most commonly by name or indirectly by combining pieces of

information that may or may not be all retained by the data controller and thus

narrowing down to a single person.25

However, it is enough that a person is identifiable even though not yet identified. When

assessing whether a person is identifiable one should take into account all the means

likely reasonably to be used either by the controller or by any other person to identify

the person in question today or in the future during the whole lifetime of the data

processing (e.g. IP addresses can be with reasonable means related to identified

persons by internet access providers). The purpose of processing may indicate that the

data controller aims to identificate sooner or later the persons and therefore it is hard to

prove that there are no means likely reasonable to be used to identification (e.g.

purpose of video surveillance is in the end to identificate persons that have unlawfully

accessed premises).26

In outsourcing cases it may be enough that the outsourcing partner receives and

processes pseudonymised data. Pseudonymisation can be done e.g. by key-coding the

data so that each individual is given a code and the code and the identifiers of the

individual (e.g. name, personal ID) are kept separately. If the pseudonymised data is

transferred to the outsourcing partner, but the partner has no means likely reasonable to

24



Data Protection Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007, p. 15 – 16.

13

access the encryption key (the list that reveals link between a key code and individual)

or otherwise become aware of the identity of the persons, this transfer of data is not to

be considered as transfer of personal data.27 If data is anonymous in a sense that no

individual can be identified by the data controller or any other person taking into account

all the means likely reasonably to be used to identify that individual, the data is not

personal data. The analysis must be performed case-by-case basis considering the

circumstances now and during the whole life time of data processing.28

The fourth element of the definition is that the Data Protection Directive applies to

natural persons (i.e. human beings) without any restrictions related e.g. to the

nationality or residence. Data on dead persons is not considered as personal data in

principle, since the dead are no longer natural persons in civil law. However, there may

be some exceptions to that general rule in the national laws and in some cases the data

on a dead person may also relate to a living person and be therefore considered as

personal data.29 Information relating to legal persons (e.g. companies, associations etc.)

is not personal data, unless the data also relates to natural persons (e.g. corporate e-

mail address that is used by a certain employee). The Finnish Communications

Regulatory Authority has stated that the confidentiality of the communications remains

in force also after the party of the communications has died (e.g. the heir has no right to

receive a full itemization of the phone bill from the time period before death).

3.2 Outsourcing

There is no commonly agreed exact definition on outsourcing, however, in general the

term is used to describe the process of subcontracting services or goods from a third

party.

Information Security Forum members have in workshops agreed on the following

definition:

“Outsourcing is the transfer of the operation or creation of activities, services or facilities from an organisation to a third party provider. The responsibility for managing the arrangement lies with the organisation and delivery with the provider”.30

Offshoring is one type of outsourcing where

“those business functions that are carried out at a location outside of the organisation’s home state (country)”. 31

27




Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5. 31

Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004, p. 5.

14

Black’s law dictionary defines an outsourcing agreement as follows:

“An agreement between a business and a service provider in which the service provider promises to provide necessary services, esp. data processing and information management, using its own staff and equipment, and usu. at its own facilities”.32

In TeliaSonera’s internal terminology outsourcing activity is divided into two separate

terms: outsourcing and sourcing of services. Outsourcing is defined as “one time activity

to transfer an outsourcing object to a supplier/partner” and sourcing of services begins

when “after completion of outsourcing activity TeliaSonera continues to buy services

from the supplier/partner”.

After the actual transfer of operations to the outsourcing partner, there is risk that the

interest in the outsourcing case decreases and the case is somewhat considered

closed. However, it is equally important to manage the period after the actual transfer

and ensure that the outsourcing partner fulfills the requirements set in the agreement

during the whole term of the agreement. Therefore in my study I will cover both the

outsourcing and sourcing of services phases.

3.3 Controller

According to the Data Protection Directive article 2 d “controller means the natural or

legal person, public authority, agency or any other body which alone or jointly with

others determines the purposes and means of the processing of personal data; where

the purposes and means of processing are determined by national or community laws

or regulations, the controller or the specific criteria for his nomination may be

designated by national or Community law.”

In practice the controller is the party that decides what data is collected and stored, the

purpose of the processing of data as well as the means. In other words the controller is

an organization that controls and is responsible for the personal data which it holds.33

The controller is also responsible for that the personal data is lawfully collected and

processed. In the outsourcing context the controller is the party that transfers its

operations to an outsourcing partner.

32

Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004, p. 1136.

33 Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.10.

15

3.4 Processor

The Data Protection Directive (art. 2 d) defines the processor as “a natural or legal

person, public authority, agency or any other body which processes personal data on

behalf of the controller.”

In an outsourcing case the processor is the outsourcing partner to whom a controller

has outsourced its certain activities. The processor does not have an independent right

to process any personal data of the controller, since its rights are derived from the

controller, thus the processor acts always on behalf of the controller and according to its

instructions.

16

4 Transfer of personal data from controller to processor

4.1 What determines a transfer of personal data?

Personal Data Directive does not define what kind of activity equals to a transfer of

personal data. A transfer can be interpreted to cover all cases where a controller takes

action in order to make personal data available to a third party.34 The transfer and

disclosure of information are different in a sense that when information is transferred the

controller may also remain the same.35

The Finnish Data Protection Ombudsman has expressed that also establishing a

remote access to data equals to transfer even though the physical database is not itself

transferred36 (e.g. if a database is located in Finland, but it can be accessed remotely

from India, it is considered as transfer outside the EU).

However, it is not completely clear when a transfer occurs, for example, if a company

discloses contact information of its employees outside the EU or EEA (the European

Economic Area) over the phone, e-mail or internet, is that to be considered as a

transfer. The provision regarding transfer should be applied when transferring individual

pieces of data as well as large quantities.37 Moreover, the Court of Justice has stated

that there is no transfer of personal data to a third country where an individual in a

Member state loads personal data onto an internet page which is stored with his hosting

provider which is established in that State or in another Member State, thereby making

those data accessible to anyone connecting to internet, even outside the EU/EEA.38

In outsourcing cases it is often quite clear that personal data is transferred to an

outsourcing partner either by making data available via remote access or actually

transferring certain databases to be stored in data rooms at outsourcing partner’s

facilities. Even though the both alternatives are to be considered as a transfer, there is

difference on what kind of security requirements have to be set on the outsourcing

partner. The actual transfer of a database is a more critical case when assessing the

need of security controls and requirements.

34

Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.18. 35

Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut, luku 5

(Government proposal on Personal Data Act). 36

Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,

verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 11. 37

Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal

Data Act, Issues about data protection 1/2005, updated 16.10.2006, p.3. 38

Case C-101-01, Bodil Lindqvist, ECR, 2003, p. I-12971, see also question 3: http://www.datainspektionen.se/in-english/in-focus-

transfer-of-personal-data/#3

17

4.2 General principles on processing of personal data

Data Protection Directive and national laws based on it include various requirements on

collecting and other processing of personal data that are a responsibility of the

controller. These are briefly described below based on Finnish Personal Data Act and

Data Protection Directive in order to give some background information on the general

rules applicable on processing of personal data:

Duty of care

The controller as well as anyone operating on behalf of the controller shall process

personal data fairly, lawfully and carefully.

Planning obligation

The controller shall plan the purposes of the processing of personal data, the regular

sources of personal data and the regular recipients of recorded personal data shall be

defined before the collection of the personal data. According to Finnish Personal Data

Act the result of this planning has to be expressed in a description of personal data file

that is made available to anyone.

Exclusivity of purpose

Personal data may not be processed in a way incompatible with the purposes defined

before collection of the personal data.

Necessity requirement

The personal data processed must be adequate, relevant and not excessive in relation

to the purposes for which they are collected and processed and they may not be kept in

an identifiable form longer than is necessary for the purposes for which the data were

collected or processed.

Accuracy requirement

The personal data must be accurate and up to date and no erroneous, incomplete or

obsolete data are to be processed.

General prerequisites for processing

Personal data may be processed only if certain prerequisites for processing are met.

The most relevant applicable prerequisite from the point of view of a controller providing

services or goods to customers is the connection requirement i.e. processing is

necessary for the performance of a contract or taking steps prior to entering into a

18

contract. This applies e.g. to customers and employees of controller. However, one

must bear in mind all the other principles and requirements that have to be also fulfilled

in order to comply with regulation.

Other possible grounds for processing of personal data are e.g. unambiguous consent

of the data subject, the processing being necessary for compliance with a legal

obligation or need to protect vital interest of the data subject.

Transparency principle

The controller shall provide information on processing of personal data to the data

subject such as identity of the controller, purposes of the processing of data, recipients

of the data and information on the rights of the data subject.

Every data subject shall have the right to have information on processing of his/her

personal data from the controller as well as right to have in particular incomplete or

inaccurate data rectified, erased or blocked.

Security of processing

The Data Protection Directive sets demands on the security of the processing not only

when controller itself processes data but also when processing is carried out on his

behalf by a processor.

The controller must ensure that appropriate technical and organizational measures have

to be taken to maintain security both at the time of the design of the processing system

and at the time of the processing itself.

“…the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”

The legislator understands that it is in general extremely hard - even impossible, with

reasonable cost to accomplish a complete, bulletproof data security. Therefore these

security measures shall be designed taking into account the state of the art and the

costs of their implementation in relation to the risks inherent in the processing and the

nature of the data to be protected.39 The higher the risk and/or the deeper intervention to

the privacy of an individual the higher are the demands on the security.

39

Personal Data Directive (95/46/EC) recital 46.

19

If the processing of personal data is carried out by a processor on behalf of the

controller, the Personal Data Directive also requires that the controller must choose a

processor providing sufficient guarantees of technical and organizational security

measures as well as ensure compliance with those measures.40

Confidentiality

Personal data are confidential and may not be disclosed to third parties against

provisions of applicable law.41 Any person who has access to personal data must not

process them except on instructions from the controller, unless he is required to do so

by law.42

In addition to the general principles described above there are requirements on

processing of special categories of data (e.g. sensitive data) and processing to certain

specific purposes (e.g. direct marketing, historical, statistical or scientific purposes) as

well as certain exceptions regarding for example national or public security, criminal

procedures and national defence.

4.3 Transfers within Finland and the EU/EEA

The target of the Data Protection Directive is – in addition to protecting the right to

privacy – to ensure free flow of personal data within the EU. Each Member State has

had to adopt national provisions pursuant to the directive i.e. implement it into the local

law.43 Personal data may therefore be transferred within the EU and the European

Economic area (EEA) countries on the same grounds as disclosing, transferring or

otherwise submitting them within a Member State.44

Transfer of personal data in outsourcing situation from controller to processor is not

considered as a disclosure of data that would in many cases require consent from the

data subject. Processor processes the personal data only on behalf of the controller and

according to controller’s requirements that are stipulated in an outsourcing agreement.

The controller is responsible for the lawfulness of the processing and the processor for

complying with the agreement. 45

40

Personal Data Directive (95/46/EC) art 17.2. 41

Finnish Personal Data Act (523/1999) 33 §. 42

Personal Data Directive (95/46/EC) art. 16. 43

Personal Data Directive (95/46/EC) art. 1 and 32. 44



Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät,

verkottuminen ja niihin liittyvät sopimukset, 27.7.2010, p. 3.

20

Transfer of personal data to a processor within Finland or EU/EEA is possible only if the

general principles described in the chapter 4.2. above are fulfilled. For example the data

may not be transferred to be processed for any purpose incompatible with the purposes

earlier defined by the controller. The processor is acting on behalf of the controller and

therefore cannot have any better rights to the data than the controller itself has.

There are no binding model agreements or contractual clauses for transfers within a

Member State or EU/EEA. However, Personal Data Directive (art. 17.3) requires that a

contract or binding act has to be in place between a controller and processor. This so

called Data Transfer Agreement (DTA) must include at least the following

requirements: a) the processor shall act only on instructions from the controller and b)

the data security related obligations specified in article 17 paragraph 1, as defined by

the law of the Member State in which the processor is established, shall also be

incumbent on the processor. Therefore in order to comply with regulation and to ensure

that each party understands and undertakes its responsibilities regarding processing of

personal data during the whole lifecycle of outsourcing relationship, it is essential to

include terms and conditions related to processing of personal data in the outsourcing

agreement or even sign a separate data protection agreement.

The requirements in Personal Data Directive (art. 17.3) are implemented into the

Finnish Personal Data Act 32 § as follows:

“1) The controller shall carry out the technical and organisational measures necessary for securing personal data against unauthorised access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. The techniques available, the associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy shall be taken into account when carrying out the measures. (2) Anyone who as an independent trader or business operates on the behalf of the controller shall, before starting the processing of data, provide the controller with appropriate commitments46 and other adequate guarantees of the security of the data as provided in paragraph (1).”

Note worth is that the Finnish Personal Data Act does not literally require a written

contract or binding act to be in place between the parties. However, it is more than

advisable to conclude a written DTA with an outsourcing partner also when working with

a Finnish outsourcing partner.

46

In Finnish: “annettava rekisterinpitäjälle asianmukaiset selvitykset ja sitoumukset“

21

4.4 Transfers to third countries from the EU/EEA

4.4.1 General aspects

Contrary to the transfers within the EU, the transfer of personal data outside the EU to

third countries is somewhat strictly regulated in order to ensure adequate level of

protection. EU Justice Commissioner Viviane Reding has pointed out “protection

regardless of data location” as one of the four pillars on which peoples’ rights need to be

built on meaning that homogenous privacy standards for European citizens should

apply independently of the area of the world in which their data is being processed.47

Third countries are all other countries than the EU Member States and the European

Economic Area (EEA) countries.

There are two main rules that have to be complied with when considering transfer of

personal data to a third country: a) the personal data in question must have been

collected and processed in accordance with the national laws applicable to the

controller established in the EU and b) the third country in question ensures an

adequate level of protection or one of the derogations laid down in the directive is

applicable.48

The general principles referred to in the first rule have been described already above in

the chapter 4.2. If those are not complied with, the transfer is considered illegal even

though the second requirement of adequate level of protection is met. In particular one

must ensure that the purpose of transfer is compatible with the one for which the data

were initially collected (exclusivity of the purpose).

From the point of view of a company wanting to outsource its operations to a third

country the easiest option to go ahead with the transfer is that the third country is found

to provide adequate protection by Commission. If that is not the case, it may be the

easiest to use the standard contractual clauses approved by Commission to proceed

with the transfer. These and also other options to be evaluated before transferring data

to a third country are described below.

4.4.2 The alternative ways of proceeding

4.4.2.1 Adequacy assessment

The main principle laid down in the Data Protection Directive is that personal data may

be transferred outside of the EU or EEA countries only if the third country in question

47

Reding Viviane, Speech/11/183, Your data, your rights: Safeguarding your privacy in a connected world, 16.3.2011, Brussels.

The other three pillars are: right to be forgotten, transparency and privacy by default. 48

Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p.19 – 20.

22

ensures an adequate level of protection. The adequacy level shall be assessed in the

light of all the circumstances surrounding a data transfer operation(s). In particular one

shall consider the nature of the data, the purpose and duration of the processing

operation(s), the country of origin and country of final destination, the rules of law

(general/sectoral) in force in the third country in question and the professional rules and

security measures which are complied with in that country.49 The adequacy of the

protection may be assessed either by a Member State according to national legislation

or by Commission.

The directive requires that each Member State achieves the set result, i.e. ensures

adequate level of protection in the third country, but leaves room for choice how the

result is achieved. The degree of involvement from the data protection authority in these

so called self-assessment cases varies in Member States, which may lead to the risk

that the level of protection provided in a third country is judged differently in Member

States.50 In Finland the controller assesses the adequacy first, but must notify the Data

Protection Ombudsman of such transfer who then evaluates whether the reached level

of protection is adequate.

Moreover, the Commission may make a binding decision on that a certain country51

ensures an adequate level of protection in which case there are no formal extra

requirements related to the transfer, but it may happen on the same grounds as within

the EU. These so called Commission adequacy findings provide legal certainty and

uniformity throughout the EU.52 The Commission adequacy findings are based on the

same criteria as explained above, but the requirements are not specified in satisfactory

detail according to Commission’s study. Therefore Commission will aim to clarify the

Commission’s adequacy process and specify the assessment criteria and requirements

in more detail in connection with the ongoing revision of the EU legal framework for data

protection.53

49

Data Protection Directive Art. 25. 50


Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 15. 51

Up to date list of these countries is available: http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm 52




Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.11.2010, Brussels, p. 15.

23

4.4.2.2 Specific situations and conditions

Even though a third country does not ensure an adequate level of protection, transfer of

personal data may take place according to derogations laid down in the directive54, if

one of the following conditions is met:

a) The data subject has given an unambiguous consent to the transfer. The consent

must be clear, voluntary, detailed and consciously given based on at least on

information on what data, for what purpose, to whom and to what country the data will

be transferred. Mere negligence to object by an informed data subject does not

constitute an unambiguous consent.55

b) The transfer is necessary for the performance of a contract between the data subject

and the controller or for the implementation of precontractual measures taken in

response to the data subject’s request. This derogation may seem extensive, but in fact

it is limited by the strict interpretation of the necessity requirement. There needs to be a

close and substantial connection between the data subject and the purposes of the

contract in order to pass the necessity test. For example this derogation may not be

relied upon in order to transfer data of employees from a subsidiary to the parent

company (e.g. to centralized payment and HR functions system), since there is no

sufficient link between performance of an employment contract and such a transfer of

data.56 However, the Finnish Data Protection Ombudsman has given an opinion that

contact information of employees of a multinational corporation may be published on

company’s intranet in order for the employees to be reached by colleagues employed

by the same company.57

c) The transfer is necessary for the conclusion or performance of a contract concluded

in the interest of the data subject between the controller and a third party. Just like in the

previous derogation (b) the interpretation of necessity is very narrow. The data

controller must be able to prove that the data transfer is necessary for the performance

of the contract. For example in outsourcing situation where a company is planning to

transfer employee information to an outsourcing partner located outside the EU, to

whom the company is aiming to outsource its payroll management, there is not close

enough link between the data subject’s interests and contract even though the

54

Personal Data Directive (95/46/EC) art. 26.1. 55



Working Party 29, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995,

2093/05/EN, WP 114, 25.11.2005, p. 13.

24

outsourcing partner is to manage salary payments to the employees. 58 This derogation

could be applicable to transfers made in order to conclude a contract on the insurance

or health care of an employee working abroad.59

d) The transfer is necessary or legally required on important public interest grounds, or

for the establishment, exercise or defence of legal claims. The regulator has intended

this derogation mainly to situations where international exchanges of data may be

necessary between tax or customs administrations or between services competent for

social security matters. Once again the requirements are subject to strict

interpretation.60

e) the transfer is necessary in order to protect the vital interest of the data subject such

as in the case of medical emergency. Vital interests refer to interests essential to the life

of the data subject, not to economic or property related interests.61

f) The transfer is made out of a public register which is open to public in general or to

anyone who can demonstrate legitimate interest. This however does not allow the

transfer of the whole register or entire categories of data contained in the register, due

to the risk that the data is used to another purpose in the third country than initially

planned.62

These exemptions from the general principle of ensuring adequate protection must be

interpreted restrictively. Their scope is intended to be narrow and to cover mainly cases

where risks to the data subject are relatively small or where other interests override the

data subject’s right to privacy.63 Otherwise the situation would be quite risky from the

data subject’s point of view, since there may be total lack of protection in the third

country or at least significantly lower level protection than in the EU.64

57




2093/05/EN, WP 114, 25.11.2005, p. 14. 59

Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut,

yksityiskohtaiset perustelut 23 § (Government proposal on Personal Data Act). 60


2093/05/EN, WP 114, 25.11.2005, p. 15. 61




2093/05/EN, WP 114, 25.11.2005, p. 16. 63


2093/05/EN, WP 114, 25.11.2005, p. 7. 64


2093/05/EN, WP 114, 25.11.2005, p. 6.

25

4.4.2.3 Standard contractual clauses approved by the Commission

The Commission may decide that certain standard contractual clauses offer sufficient

safeguards with respect to the protection of the privacy and fundamental rights and

freedoms of individuals and as regards the exercise of the corresponding rights.65

Personal data may therefore be transferred to a third country that does not offer an

adequate level of protection if an applicable set of standard contractual clauses is used.

The target and scope of a contract in the case where personal data is transferred

outside the EU area, is much wider than in transfers within the EU. Between parties

within the EU countries the contract as explained in Chapter 4.3 is a tool to define and

agree on the responsibilities between two or more parties. However, when transferring

data to a third party located outside the EU area, the contract must provide additional

safeguards, because the receiving party is not governed by the EU data protection

regulation. These requirements are included in the standard contractual clauses in order

to ensure adequate safeguards.66

In outsourcing situation the outsourcing partner is acting as a processor and processing

personal data on behalf a controller (the company outsourcing its activities) and

according to controller’s instructions. The Commission has adopted an updated version

of the standard contractual clauses covering such transfers from a controller to

processor (controller to processor clauses) on 5.2.2010. The preceding, now repealed

clauses, were from the year 2002.67 The Member States must in general accept

transfers conducted by using the approved standard contractual clauses.68 There may

be differences in national laws regarding obligation to notify local authorities, but in

Finland no such requirement exists.

The standard contractual clauses reflect the general principles of the Data Protection

Directive which are described in more detail under Chapter 4.2 above. The headings of

the processor to processor – contractual clauses are the following:

- Definitions

The controller is referred as the data exporter and the processor as the data

importer in the context of the contractual clauses. Another important term

65

Data Protection Directive art. 26.2 and art. 26.4. 66


personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998, p. 16 – 17. 67

There are two other sets of standard contractual causes approved by the Commission, but they apply to transfers from controller

to controller only (decisions Set I 2001/497/EC and Set II 2004/915/EC so called business clauses) .

26

included in the new set of the clauses is the sub-processor which means in brief

a subcontractor of the processor (data importer) or the subcontractor’s

subcontractor.

- Details of transfer

Details of the transfer such as data subjects, categories of data and processing

operations are to be defined in an appendix.

- Third-party beneficiary clause

The standard contractual clauses should be enforceable against the controller

and in certain cases even the processor by the data subjects e.g. when the data

subject suffers damage as a consequence of a breach of the contract.69

- Obligations of the data exporter

The main responsibilities of the data exporter include ensuring that the data

processing has been and will be carried out in accordance with the applicable

law, continuously instructing the data importer on processing personal data

according to data exporter’s instructions and law as well as ensuring compliance

with the appropriate security measures.

- Obligations of the data importer

The main obligations of the data importer include processing personal data only

according to data exporter’s instructions, warranting that no applicable legislation

(e.g. local laws) do not prevent from fulfilling its obligations and implementing

technical and organisational security measures.

- Liability

This describes the alternative ways for the data subject to receive compensation

of damages resulting from the breach of the agreement.

- Mediation and jurisdiction

If there is a dispute between a data subject and data importer, the data subject

may either choose mediation or litigation.

- Cooperating with supervisory authorities

68

The Member States may prohibit or suspend data flows only in the situations described in Article 4 of the Commission decision

on the standard contractual clauses (2010/87/EU). 69

Commission decision 2010/87/EU, 5.2.2010, recital 19 – 20.

27

The supervisory authorities (i.e. national data protection authorities) may receive

a copy of the agreement and also conduct an audit of the data importer and sub-

processor.

- Governing law

The clauses shall be governed according to the laws of the Member State where

the data exporter is located.

- Variation of the contract

The standard contractual clauses approved by the Commission may not be

changed or modified by the parties. However, the parties may add business

related issues to the agreement as long as they do not contradict the standard

contractual clauses or prejudice fundamental rights or freedoms of the data

subjects. If other modifications or alterations are made to the clauses, they no

longer are treated as the standard contractual clauses benefiting from the special

treatment, but fall under the situation described above in Chapter 4.4.2.1 where

the data exporter on case-by-case basis adduces adequate safeguards as

assessed by the national authorities.70

- Sub-processing

In many cases the processor in a third country needs to further transfer the data

received from a controller located in the EU to another processor located outside

the EU (e.g. to a subcontractor). This new set of standard contractual clauses

includes clauses also on these subsequent onward transfers that occur outside

the EU area thus making the data transfers to international actors less

bureaucratic. The sub-processing clauses aim to ensure that the personal data

being transferred continue to be protected notwithstanding the subsequent

transfer to a sub-processor.71 These clauses do not apply to a situation where a

processor located in the EU transfers personal data to a sub-processor located in

a third country.72

- Obligation after the termination of personal data-processing services

The parties agree on returning or destroying of personal data as well as

confidentiality after the agreement is terminated.

70

Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries, p. 28. 71

Commission decision 2010/87/EU, 5.2.2010, recital 17. 72

Commission decision 2010/87/EU, 5.2.2010, recital 23.

28

4.4.2.4 Adequate safeguards adduced by the controller

Instead of taking advantage of the standard contractual clauses described above, a

controller may itself offer adequate safeguards with respect to the protection of privacy

and rights of individuals. These may be e.g. self-drafted contractual clauses directed at

one specific case that are authorised by the national data protection authority.

29

5 Outsourcing lifecycle and data protection

Outsourcing lifecycle can be divided into four phases: preparation, implementation,

operation and review.73 These four phases are assessed below especially from the

viewpoint of transferring of personal data.

5.1 Preparation phase

The target of the preparation phase is to create a business case and agree in general

within the company that outsourcing is the way forward. In the latter part of this phase

the outsourcing partner is chosen and agreements negotiated.

5.1.1 Developing the business case

It is often easy to focus on the benefits of outsourcing such as cost-savings, increase

competence and efficiency. However, when creating a business case, it is as important

to evaluate additional process and administration costs that may be caused due to

specific requirements applying to the outsourcing object as well as risks. Moreover,

sometimes the outsourcing becomes an end in itself while the targets to be achieved

remain unclear. Without a comprehensive understanding of the whole outsourcing case,

its goals and risks, it is impossible to make an enlightened decision on whether to

outsource or not .

The risks to consider may relate e.g. to following aspects74:

- Country risks: e.g. the cultural, environmental, political, infrastructural and

regulatory issues as well as distance.

- Company risks: e.g. how mature security level is adopted in the company and

how security is governed.

- HR risks: e.g. what is the competence and awareness level of employees.

- Data risks: e.g. ensuring confidentiality, availability and integrity.

- Deliverables risks: e.g. reliability of hardening and delivery methods.

It should be kept in mind that the risk of outsourcing is the additional risk compared with

the risk of taking care of the operations to be outsourced locally by the company itself,

not the total risk.

In most cases outsourcing involves transfer of personal data to the outsourcing partner,

either actual transfer to the partner’s data room or giving a remote access to the

73

Information Security Forum, Information risk management in outsourcing and offshoring, January 2008, p. 3.

30

company’s systems. It is essential to identify the criticality of the data and data

categories as well as specific requirements related to them. The requirements may be

rooted in regulation, customer agreements or company’s own policies (e.g. data

classification and handling instructions) and risk appetite. The data may include e.g.

personal data, traffic data or even content of communications that may be processed

only according to applicable EU and national legislation or there may be certain

restrictions related to customer data in certain customer agreements e.g. prerequisites

on by whom and where data may be processed. One must also bear in mind the

principle of exclusivity of purpose laid down in the Personal data directive prohibiting

processing of personal data in a way incompatible with the purposes defined before

collection of the personal data as well as other general principles.75

In addition to the risk analysis, it is advised to perform also a business impact

assessment, whose result shows a possible impact for the company if information is

improperly exposed, changed or made unavailable. Even though the legal prerequisites

of transferring all kinds of personal data to third countries are equal, there may be quite

different business impact, if “only” names of customers are processed unauthorized

compared to situation where the confidentiality of personal ID, medical records, traffic

data (e.g. information on communication or location of the subscription) or maybe even

content of communication (e.g. e-mail messages) is compromised. The controls and

additional requirements should be created and decided based on the analysis and the

criticality of the information taking into account company’s own risk appetite as well as

possibilities to mitigate risks.

As described before the EU regulation allows the transfer of personal data also such

countries that are not deemed to have adequate protection or the level of protection is

not yet assessed by the Commission. In such cases transfer may occur e.g. when

standard contractual clauses approved by the Commission are used. This means that

the EU regulation does not impose a show stopper, however the risk analysis performed

by the company planning to outsource operations to a third country may suggest that

the situation in certain countries or on a specific area of a country is such that the risks

74

Based on the presentation of Britt Amundsen Hoel, CSO, Telenor Norge AS, High risk –low cost -going offshore,ISF annual

conference in Monaco, 2010. 75

According to the Finnish Personal Data Act 10§ the controller must state in the description of a personal data file whether

personal data is to be transferred outside EU area. The description of file may date back to time when outsourcing was not considered or even that common and thus state that personal data is not transferred outside EU. It is uncertain how the description of file may be later changed if the original version denies the transfers. One way of proceeding with the change is to consider the description as a part of the agreement and change it according to the same princibles as the agreement could be changed. That is often a very time consuming process. Therefore it is critical to identify data files in question and then check what the description of personal data file states on the issue already in an early stage of the process.

31

overstep the risk appetite of the company i.e. the country risk assessed by the company

is too high to be reasonable mitigated by contract or other means. Even though the

regulation would support and allow transfer of personal data, it is not always wise based

on company’s own risk and business impact assessments.

5.1.2 Choosing the partner

Personal data, whether it relates to customers or employees, are in many ways very

critical assets of a company. It is easy to lose reputation and confidence, but gaining it

back is most often an extremely long and rocky road. The security aspects are therefore

by no means insignificant when the outsourcing partner is chosen.

Security related requirements and questions should be included as a part of the

Request for Proposal (RFP) sent to the potential vendors. The answer to RFP gives a

starting point for evaluation of the partner’s capabilities. However, one should not rely

only to the information given in the offer, but try to validate also by other means that the

information given is reliable and not only commercial marketing statements.

Validating the third party security is not an easy task to perform. Information Security

Forum provides a “Security health check” –tool, a self-assessment tool that can be used

to evaluate if an outsourcing partner fulfills the set requirements or not. It can be used

as a self-assessment tool, however, one must keep in mind that the results are not

objective, but instead based on the vendors’ own subjective views. The questionnaire is

made up of 208 high-level information security questions that are presented in a macro-

enabled Microsoft Excel spreadsheet.76 Another indicator that can be helpful is that the

partner has a certificate (e.g. ISO 27001) that covers the part of the partners’ processes

that is used to provide the services. Even though e.g ISO 27001 certificate may not

assess all the aspects relevant to a specific outsourcing activity, it gives at least a

general implication that the partner has an appropriate information security

management system in place. When establishing a business relationship with a

completely new partner that has no proof of its security level (e.g. no certificates), it may

be wise to audit the partner on site, especially if the operations to be outsourced are

critical and/or lead to transferring critical information to the partner. Once again it’s a

question of risk evaluation and mitigation.

Ever increasing amount of services are provided from a cloud. When choosing an

outsourcing partner and a solution, it is important to get a clear view on whether a cloud

76

Information Security Forum: Security healthcheck, available for ISF members at www.securityforum.org

32

is used and if so what kind of cloud is in question (private/public). Moreover when

personal data is to be transferred to a cloud, it is essential to understand where the data

is located, who are able to process it and how information security aspects are taken

into account. There are no “cloud-specific” privacy regulations, but all the same rules

that have been described in this paper regarding processing and transferring personal

data apply to cloud based processing of personal data. For example if the cloud is

located outside the EU/EEA there adequate level of protection must be guaranteed by

one of the means explained earlier.

5.1.3 Agreeing with the partner

When the vendor has been chosen and the business agreement (outsourcing

agreement and service agreement) is under negotiations, it is crucial to remember to

include security requirements in the negotiations. Usually a frame agreement that

covers all general terms and conditions of the vendor relationship is concluded first and

then a separate agreements regarding each assignment are signed.

It is essential to cover at least the following aspects regarding processing personal data

in the agreements:

Non-Disclosure Agreement (NDA) if it is not signed already during the partner

evaluation.

Data transfer agreement as explained in chapter 4.3 if personal data is transferred

within EU/EEA.

Standard contractual clauses as explained in chapter 4.4.2.3 if personal data is

transferred to a processor located in a third country (outside EU/EEA) and there is

no Commission adequacy finding regarding the country in question or other means

specified in Data Protection Directive to ensure the adequacy of the protection.

Other relevant security requirements and controls based e.g. on risk/business

impact assessment, regulation, adopted standards, company’s internal instructions

and customer demands. However, it is good to acknowledge that many vendors

provide services to various companies located around the world and placing

additional requirements above e.g. the EU regulation level may add the costs,

because the vendor has to stretch to a customer specific solution.

Description of common processes and practices related to e.g. access, incident, risk,

crisis and business continuity management, auditing of the vendor as well as

33

responsible persons on each area. It is good to prepare for crisis and worst case

scenarios and define roles, responsibilities and processes related to those as well as

test them to the degree possible.

Consequences and sanctions of a breach of the agreement e.g. in a situation where

confidentiality or integrity of personal data has been compromised.

Exit procedures that aim to prevent locking-in to one vendor and enable seamless as

well as secure exit at the end of the partnership.

5.2 Implementation phase

The target of the implementation phase is to manage the transfer of the operations to

the outsourcing partner as seamlessly as possible. This phase starts with planning e.g.

creating migration plans as well as adapting business, security and support processes

and ends when the operations are up and running at the outsourcing partner.

From the personal data point of view it is crucial to plan the transfer of the personal

data; how it is performed in a secure way or if access to data stored in company’s

systems is to be granted to the employees of the outsourcing partner the access

management process has to be agreed and access rights granted accordingly. The

company needs to also agree with the outsourcing partner how the employees are

trained to process personal data according to the requirements set in the agreement.

5.3 Operation phase

Operation phase lasts as long as the company continues to source services from the

outsourcing partner. This phase requires active support, maintenance and audit

activities from the company including performing regular security reviews and follow ups

to validate the compliance and current state of the partner organization. A significant

risk is that the case is considered closed after the implementation phase and the

company lacks sufficient resources and interest in supervising the partner and working

in co-operation. However, one must bear in mind that the company continues to be

responsible for complying with applicable regulation even after the processing of

personal data is transferred to the outsourcing partner. Therefore also from the risk

management perspective it is advisable to regularly interact with the partner and

manage the partnership e.g. through meeting and reporting structure.77

77

Information Security Forum: Information risk management in outsourcing and offshoring, January 2008, p. 25.

34

5.4 Review and Exit phase

The longer the outsourcing partnership lasts the more probable it is that the

requirements (e.g. regulation) are changed such a manner that it has effect also to

processing of data by the outsourcing partner. The parties must establish a way of

communicating and handling such operative changes as a part of daily business.

However, sometime along the way it comes a time to review the partnership and decide

on the future. That phase can be called as review phase and it may lead to exit if the

parties cannot agree on the future terms of the partnership.

The whole lifecycle of outsourcing and data processing should be taken into account

already in the preparation phase and a preliminary plan for exit should exist also on the

agreement level. When the agreement is terminated, the company must ensure that the

outsourcing arrangement is taken down in a controlled way in order to avoid any

disturbances of business or breaches of applicable regulation and other requirements.

As a result of a seamless exit process the operations are either transferred back to the

company or to another outsourcing partner.

35

6 Conclusions

Outsourcing at its best brings efficiency, flexibility, increased knowhow and cost savings

to the companies. However these benefits are not given for free, but instead it takes a

huge amount of preparation, actual implementation work, maintenance and follow up to

make it work securely, seamlessly and in compliance with internal and external

demands. It is easy to concentrate on the benefits of the outsourcing and underestimate

the risks and amount of work it takes from the company itself before and also after the

actual transfer of operations has taken place. Outsourcing is not one time event, but a

continuous relationship with the vendor (outsourcing partner) that lasts as long as the

agreement is valid.

The concept of personal data is interpreted so widely that the data protection and

privacy aspects have to be taken into account nearly in all outsourcing cases. The

current regulatory framework regarding processing and transferring personal data

contains a set of basic tools enabling companies to carry out outsourcing activities.

Even though the framework can be seen such that it supports outsourcing, it may not

always be consistent and easy to interpret or implement in practice. The more countries

(and therefore also the more legal frameworks) there are in question the more complex

the situation grows. The responsibility for complying with applicable laws remains with

the data controller (the company outsourcing its operations) no matter where the

personal data is transferred to. This can lead to difficult challenges if the legal

framework in the country where the data processor (the outsourcing partner) is located

differs dramatically from level of protection established within the EU. The risks can be

mitigated to a certain degree by well-prepared agreements and follow-up activities,

however, if the legal stability in a country is somewhat compromised, it can be hard to

execute the rights granted by an agreement, no matter how watertight it is. Moreover it

is not possible to precede the national laws and authority of the local authorities just by

an agreement between the outsourcing parties.

At the moment some conflicts of law may arise also on the EU level, since Member

States have chosen slightly different ways to implement the EU directives. The

Commission intends to review and clarify the provisions regarding applicable law in the

connection with the overall review of the data protection regulation, which development

is welcome improvement to the current state. The target is to achieve full harmonization

by using a regulation as a strong legal instrument. Alarming is that the technical

development and related business models are developing so fast that the regulator is

36

always many steps behind. The concepts that have been suitable to use in more

traditional outsourcing situations are too bureaucratic or impossible to deploy e.g. in

cloud computing situations.

Many times the threat of losing reputation and brand value is often even more severe

than the legal risks. A simple incident that compromises for example the confidentiality

of customer data may cause the customers to choose another service provider.

However, it can also be argued that outsourcing itself does not self-evidently increase

the risks compared to situation where the operations are taken care in-house, since

there is always certain risks present related to confidentiality, integrity and availability

even when the company itself takes care of the operations. It’s all about identifying and

evaluating threats and risks and mitigating them to the degree reasonably possible and

realistic e.g. by setting controls and following them up.

Data protection and privacy is not something one can put as a responsibility for a one

person or unit. It is not something that the Legal Affairs or Sourcing unit just fixes by

drafting agreements amongst themselves. Requirements related to processing and

transferring personal data have to be identified, evaluated, implemented and followed

up during the whole outsourcing life cycle and implemented into the processes just like

any other aspects related to the co-operation.

37

BIBLIOGRAPHY

Amundsen Hoel Britt, CSO, Telenor Norge AS, Presentation High risk – low cost -going offshore, ISF annual conference in Monaco, 2010.

Bryan A. Garner, Black’s Law Dictionary, 8th edition, West Publishing Co, 2004.

Consolidated version of the Treaty on European Union, Official Journal (“OJ”)) of the European Union C 83.

Commission decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, 2010/87/EU, 5.2.2010.

Communication from the Commission to the European Parliament, The Council, The Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM(2010) 609, Bussels, 4.11.2010.

Consolidated version of the Treaty on the Functioning of the European Union, OJ C 83. Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to the processing of personal data and on the free movement of such data, OJ L281.

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201.

European Commission, Proposal for a regulation of the European parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), version 56, 29/11/2011.

European Convention for the Protection of Human Rights and Fundamental Freedoms.

European Court of Justice, Case C-101-01, Bodil Lindqvist, ECR, 2003.

Finnish Personal Data Act (523/1999).

Hallituksen esitys eduskunnalle henkilötietolaiksi ja eräiksi siihen liittyviksi laeiksi (HE 96/1998) yksityiskohtaiset perustelut (Finnish Government proposal on Personal Data Act).

Information Security Forum, Managing the Information Security Risks from Outsourcing (full report), October 2004.

Information Security Forum, Information risk management in outsourcing and offshoring, January 2008.

Information Security Forum: Security healthcheck.

Office of the Finnish Data Protection Ombudsman, Henkilötietojen käsittelyn ulkoistaminen, yhteiset tietojärjestelmät, verkottuminen ja niihin liittyvät sopimukset, 27.7.2010.

Office of the Finnish Data Protection Ombudsman, Transfer of Personal Data to a Foreign Country According to the Personal Data Act, Issues about data protection 1/2005, updated 16.10.2006.

Viviane Reding, Privacy in the Cloud: Data Protection and Security in Cloud Computing, at round-table high level conference on Mobilising the Cloud organised by GSMA Europe, speech/11/859, 7.12.2011.

Reding Viviane, Your data, your rights: Safeguarding your privacy in a connected world, Speech/11/18, 316.3.2011, Brussels

Working Party (WP) on the Protection of Individuals with regard to the Processing of Personal Data, Working Document Transfers of personal data to third coutries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98, WP12, 24.7.1998.

Working Party, Opinion 4/2007 on the concept of personal data WP 136, 20.6.2007.

Working Party, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995, 2093/05/EN, WP 114, 25.11.2005

Working Party, Working document on data protection issues related to RFID technology WP 105, 19.1.2005.

38

Web-pages

Datainspektionen,Transfer of personal data to a third country, http://www.datainspektionen.se/in-english/in-focus-transfer-of-personal-data/#3

European Comission, What are EU directives?, http://ec.europa.eu/eu_law/introduction/what_directive_en.htm

Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries; http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf

Towards Cloud Computing Strategy; http://ec.europa.eu/information_society/activities/cloudcomputing/index_en.htm

outsourcing and transfer of personal data - titta penttilä - teliasonera

Technology