Sub-processor International Data Transfers: Are you clear on your obligations under UK data protection laws?

There has recently been a lot of focus on the appropriate safeguards that businesses should be using in respect of international data transfers, in this article we thought it would be helpful to go back to basics and discuss the requirements that businesses must adhere to when making international data transfers to sub-processors.

This is an area which appears to have caused confusion in the market and is more important than ever given that UK businesses are increasingly transferring record amounts of personal data outside the UK (directly or indirectly) under their supplier arrangements (e.g. under software as a service (SaaS) arrangements).

The role of service providers

Service providers (in particular SaaS providers) are increasingly using overseas sub-processors in the provision of their services to UK customers. Where such arrangements involve the transfer of personal data from the UK to a country based outside of the UK, it is necessary, under UK data protection laws, to ensure that (i) an adequacy decision exists in respect of that country or (ii) appropriate safeguards (e.g. UK International Data Transfer Agreement or EU SCCs with UK Addendum) are in place. These obligations bite on both controllers and processors.

It is well understood that where a UK based supplier (acting as a processor) provides services to a UK based customer (acting as a controller) which involves the transfer of personal data by the supplier to a third party (acting as a sub-processor) based overseas (i.e. there is an onward transfer of personal data from the processor to its sub-processor), it is the processor's responsibility to enter into appropriate safeguards with the sub-processor (assuming, that is, no adequacy decision has been made in respect of the jurisdiction the sub-processor operates from).

What happens when personal data is transferred directly to the overseas sub-processor?

The position is less clear however where, in the same scenario referred to above, the personal data is transferred from the UK controller directly to the overseas sub-processor (i.e. the data does not physically go via the UK processor). In this instance the data flow does not align with contractual chain (see diagram below) which has led to confusion in the market.

The ICO guidance on international data transfers states that "only the controller or processor who initiates and agrees to the transfer is responsible for complying with the UK GDPR rules on restricted transfers".

Applying this to the above scenario, this means that whilst the data flow is between the UK controller and overseas sub-processor, it is not the responsibility of the controller to enter appropriate safeguards with the sub-processor, rather it is the UK processor's responsibility since they are the one that has "initiated" the transfer.

What should UK suppliers consider?

UK suppliers (acting as processors) should therefore consider whether they need to enter into appropriate safeguards with their overseas sub-processors (even where the data flow is between a UK customer and the relevant sub-processor).

Failure to do so could mean breaching its obligations under UK data protection laws and potentially its contracts with customers (to the extent these contain obligations in relation to implementing appropriate safeguards with sub-processors based overseas which we would expect to be the case).

In these circumstances, it is also the responsibility of the supplier to carry out a transfer risk assessment to ensure it has fully understood the risks posed by the onward processing before engaging the relevant sub-processor. This is important to bear in mind, not least because the supplier will remain responsible for the acts/omissions of the sub-processors it appoints.

What should UK customers consider?

UK customers (acting as controllers) on the other hand, should be alive to their processors' obligations (above) to ensure that the contract with the supplier contains provisions requiring the processor to implement appropriate safeguards in respect of transfers to its overseas sub-processors (thereby giving it contractual recourse against the supplier if it suffers a loss as a result of the international transfer and subsequent processing by the sub-processor.

For more information, read our The 21 March 2024 deadline is looming: have you updated your contracts to replace the old EU SCCs? article.