In December 2012, the Spanish Data Protection Authority (SPDA) published a new set of Model Clauses prepared purely for use by service providers that subcontract to companies located in countries outside the EEA.

These new Model Clauses (based on the 2010 controller-to-processor clauses) will allow for an international transfer of personal data between a data processor (data exporter) established in Spain to a subprocessor (data importer) based in a country that does not ensure an adequate level of protection in the field of personal data, within the context of an outsourcing arrangement.

The current sets of EU Model Clauses available are drafted from a data controller’s perspective in that the data controller is principally responsible for compliance requirements, such as in Spain, obtaining prior authorisation for transfers from the SPDA. Historically, that meant that the company that outsourced the services to the prime contractor was still responsible for getting SPDA authorisation for the international data transfer for each subcontractor.

Now, Spanish service providers acting as data processors can enter into Model Clauses directly with their subprocessors and initiate the prior authorisation process themselves with the SPDA to request approval of an international transfer of their client’s personal data for processing by their subcontractors located outside the EEA.

These new Model Clauses should facilitate data processing within a supply chain by allowing outsource service providers to engage subcontractors outside the EEA, serve as evidence to customers of their data protection compliance and ultimately market their services in a more competitive fashion. The Spanish DPA has clearly responded to the demands of the outsourcing sector by providing a more flexible method of covering processor-to-subprocessor data exports and helping to eliminate some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors.