<b>Jozef Buday</b>,
Faculty of Law of Comenius, University in Bratislava (source: Courtesy of PRK Partners s.r.o.)
Outsourcing is an ever-popular cost-saving strategy. For a variety of reasons companies prefer contracting out to an external provider of goods/services over producing the same thing internally. Outsourcing has wide legal implications depending on the outsourcing model used. In the information world of today these models develop quickly and the provision of outsourcing services does not take into account the world geographical set up. Technological developments also bring challenges for legal regulation to respond adequately to such a continuously changing environment. This article briefly outlines how personal data protection regulation responds to technological progress in the field of outsourcing.
Era of cloud computing
One of the most appealing forms of outsourcing is through cloud computing models. Cloud computing is believed to be one of the biggest technological revolutions in recent times focused on Internet-based use and delivery of IT applications, processing capability, storage and memory space.
Cloud computing covers a wide scale of outsourcing services, ranging from relatively simple forms (e.g. server warehousing) to sophisticated web-based tailor made solutions. As a result of the complex set of relations established by outsourcing, what may at the beginning appear as a simple form of hardware leasing, could, in the end, result in a complicated structure triggering various personal data protection issues. This is caused by two main factors. Firstly, cloud computing models inevitably lead to flow of (personal) data processed by the client to the service provider and back, and secondly, cloud service providers are generally considered to be data processors of the data stored on their servers, even if they do not have access to them. It goes without saying that data processing must be compliant with applicable data protection regulations.
Response of the data protection authorities
Increased interest in utilisation of cloud computing models has called for an assessment of their personal data protection dimension. The fruitful debate gave rise to the adoption of Opinion 05/2012 on Cloud computing (the “Opinion”) by the Article 29 Data Protection Working Party (the “Working Party”), an independent advisory body established under Article 29 of the Data Protection Directive 95/46/EC. The Working Party is composed of representatives of national data protection supervisory authorities. Its opinions are not formally binding, but often serve as an interpretation tool and hint at how the national supervisory authority may view the topic.
The Opinion recognises the economic and social benefits of cloud computing but at the same time emphasizes the need for careful assessment of the proposed outsourcing structures as the Working Party believes the cloud computing triggers two main data protection risks, a lack of control over the personal data by the client and insufficient information regarding the processing operations. These risks are inherent to the cloud computing schemes as the cloud service providers often operate or have the outsourcing infrastructure located in jurisdictions where data protection regulation is effectively non-existing.
It is only natural to make the assessment before the outsourcing structure is implemented. Otherwise there is a risk that non-compliance may be sanctioned by the national data protection supervisory authority or claims may be brought by the data subjects.
Key data protection considerations
To do an appropriate assessment of the outsourcing structure from the perspective of personal data protection, at least the following questions need to be clearly answered: What are the roles of the parties involved? To which countries would the personal data flow during the provision of the services? What operations would the service provider perform with the personal data?
Although these three questions are intertwined, the question relating to the cross-border flow of personal data is likely the most challenging topic. The primary reason behind this is that the complexity of cloud computing models often results in participation of several parties and flow of the data among numerous jurisdictions. Consequently, the data protection requirements for compliance of the selected models depend on the role of the parties involved in the processing chain and the jurisdictions in which personal data are located during the provision of the services. These requirements are stricter if the data flow outside the European Economic Area or to a country not ensuring adequate level of their protection.
In this context the Slovak data protection regulation can prove to be even more demanding, compared to other EU jurisdictions. Slovak regulation is more extensive than the EU data protection legislation and clearing of selected outsourcing model may turn out to be surprisingly timely and administratively burdensome. It is expected that the unnecessary demands of Slovak regulation may be eased by the adoption of the new data protection legislation.
Jozef Buday
attorney at PRK Partners s.r.o.
Faculty of Law of Comenius University in Bratislava
PRK Partners is a leading regional full-service law firm providing comprehensive legal services through its offices in four cities (Prague, Bratislava, Budapest and Ostrava) across three key jurisdictions in Central Europe. Specialised teams of over one hundred legal practitioners and tax advisors provide services to the largest global corporations, as well as to local companies. PRK Partners strives to ensure not only the highest quality of legal services, but also an individual approach to clients and their business needs.
