Data Privacy Consultant/Legal Advisor, Privensure
A transfer of personal data from an EEA processor to a non-EEA sub-processor has never been officially regulated at the EU level despite the fact that it is a frequent occurrence, especially if we talk about an IT industry. Very often, we have a situation when a customer of an IT company based in Ukraine is not the one who determines the purposes and means of the processing of personal data, namely, a controller, but the one who processes personal data on behalf of the controller, in other words, the processor.
Unfortunately, the European Union appeared to be reluctant to find a quick solution to ease the situation with a transfer of personal data from an EEA-processor to a non-EEA sub-processor. As a consequence, we have only a "Working document 01/2014 on Draft Ad hoc contractual clauses 'EU data processor to non-EU sub-processor'"  issued by the EU Article 29 Working Party on March 21, 2014 that is not even an official document, and thus, cannot be used in this kind of transfer .
The Article 29 Data Protection Working Party released FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC , dated 12 July 2010 aiming to clarify the application of Standard Contractual Clauses between EU controllers and non-EU processors. Being virtually the only official document from the European Union authorities, it answers the question how EEA-based processors should transfer personal data to non-EEA-based sub-processors. The explanation given in this paper makes it very business unfriendly. In other words, a suggestion to use direct contracts between EEA-based controllers and non-EEA-based sub-processors makes the signing of a data processing agreement that includes Standard Contractual Clauses a long-running process that involves many people. Although an EEA-based controller
agrees on a list of sub-processors with a data processor prior to any transfer, a controller is not the one who communicates with a sub-processor directly, and a processor usually tries to tackle all data protection issues with a sub-processor without any further involvement of a data controller.
Another option identified by The Article 29 Working Party in case of cross-border data transfer is “Clear mandate from EEA-based controllers to EEA-based processors in order to use Model Clauses 2010/87/EU in their name and on their behalf” . “Clear mandate” means a proxy that a data controller gives to a data processor. Consequently, signing Standard Contractual Clauses with having the proxy to act on the data controller’s behalf becomes the second option described in FAQs on Standard Contractual Clauses for the transfer of personal data to data processors established in third countries. However, one should keep in mind that having a clear mandate is not the same as getting the written authorization to engage sub-processors. In other words, it is different from the practice that is used between the EEA-based controller and the EEA-based processor when the EEA-based processor engages the EEA-based sub
The third option of cross-border data transfer from an EEA-based processor to a non EEA based sub-processor is ad-hoc contracts, and it seems to be the least attractive choice. First of all, because companies should provide strong guarantees of a personal data protection that will be equal in terms of safeguards envisaged in Standard Contractual Clauses. However, what is more challenging about using ad-hoc contracts is that they must be reviewed by the European Data Protection Board and be authorized by a national Data Protection Authority . It is something that will take a lot more effort from the parties engaged compared to the first two options.
Most companies prefer to use the first option, namely direct contracts between the EEA based controller and the non-EEA-based processor. Unfortunately, on a practical level, the situation that happens even more often is when data processors sign Standard Contractual Clauses with sub-processors without a proxy, adding a provision to a data processing agreement that a data controller agreed to such transfer. This leads to a situation where an EEA-based data processor becomes a data exporter, and a sub-
processor becomes a data importer, and that does not correspond to reality and is not the best legal solution. The cross-border data transfer becomes even more complicated when we have a long chain of processors. For example, EEA-based data controller → EEA-based data processor → non-EEA-based sub-processor → non-EEA-based subsequent sub-processor. In this case, a non-EEA-based subsequent sub-processor has to sign Standard Contractual Clauses directly with an EEA-based controller. A situation like this results in many debates inside the company, among them is a fear of losing a client from the EU that may find an easier way to run a business and engage an EEA
based sub-processor. Consequently, the right approach and the mastery of persuasion of a client that has dealt only with EEA-based companies may serve the good turn.
While dealing with conundrums of not having an official document for cross-border data transfer in case of an EEA data processor to a non-EEA sub-processor, third countries that suffer from the absence of adequacy decision have faced another problem that has appeared this summer, namely the Schrems II decision and the confusion
around the phrase “additional safeguards” that has not got a sufficient explanation from the side of the EU. More importantly, even though the Schrems II decision kept Standard Contractual Clauses in force, it imposed additional responsibilities on data exporters. For the present, we have the only one guidance issued by the Data Protection Authority Baden-Württemberg on September 7, 2020 that provides at least some kind of explanation of what additional safeguards might be . Thus, additional measures or guarantees that parties to Standard Contractual Clauses might include comprise:
∙ Encryption, in which case, only the EU data exporter holds the key so that data cannot be accessed by US security authorities
∙ Anonymisation or pseudonymisation, where only the EU data exporter can reverse the anonymisation or pseudonymisation 
However, we should bear in mind that this guidance is applicable to companies established in Baden-Württemberg, and we should use it only as an auxiliary source .
Among additional responsibilities of data exporters Schrems II decision distinguishes the verification if the law in a recipient third country has an adequate data protection,
and the due diligence of a data importer that assists in finding out whether a company acting as a data importer is bound by these laws, and is able to execute all provisions of the Standard Contractual Clauses . Imposing new demands, neither the Court of Justice of the European Union nor the European Data Protection Board has specified the criterion that should be taken into consideration while making this kind of assessment and how it should be executed .
Encountering the challenges of Standard Contractual Clauses in the event of a chain of several processors, Ukrainian IT companies run into another pitfall that popped up with the Schrems II decision. Data Privacy professionals across the globe have expressed their concerns regarding cross-border data transfer immediately after the decision. One of them is a possible decrease of third-country data processor involvement in order to avoid inconveniences with additional data processor’s check. However, notwithstanding all the current uncertainties and questions, there is a big chance that the New Standard Contractual Clauses will be issued by the end of 2020 along with the detailed guidance of additional guarantees and safeguards, and therefore will eliminate the concerns of cross-border personal data to “non-adequate” countries.
1. Article 29 Data Protection Working Party “Working document 01/2014 on Draft Ad hoc contractual clauses 'EU data processor to non-EU sub-processor’” adopted on 21 March 2014. URL: https://ec.europa.eu/justice/article-29/documentation/opinion recommendation/files/2014/wp214_en.pdf (last accessed 30.10.2020).
3. Article 29 Data Protection Working Party “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” Adopted on 12 July 2010. URL: https://ec.europa.eu/justice/article-29/documentation/opinion
recommendation/files/2010/wp176_en.pdf (last accessed 30.10.2020). 4.Ibid.
5. Seligmann, Guillaume, Rout, Adeline. Navigating the Atlantic with Personal Data. July 24, 2020. URL: https://www.cohengresser.com/app/uploads/2020/07/Navigating the-Atlantic-with-Personal-Data.pdf (last accessed 30.10.2020).
6. Hunton Andrews Kurth Blog, German DPA Issues Guidance on Data Transfers Following Schrems II. September 2, 2020. URL: https://www.huntonprivacyblog.com/2020/09/02/german-dpa-issues-guidance-on-data transfers-following-schrems-ii/ (last accessed 30.10.2020).
7. Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg “Orientierungshilfe des LfDI BW: Was jetzt in Sachen internationaler Datentransfer?”, August 25, 2020. URL: https://www.baden
wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/LfDI-BW Orientierungshilfe-zu-Schrems-II.pdf (last accessed 30.10.2020).
8. Demmel, Annette, Lucht, Mareike. German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries. September 23, 2002. URL: https://www.natlawreview.com/article/german-dpa-issues-guidance-schrems-ii-and transfer-personal-data-to-non-eu-countries (last accessed 30.10.2020).
9. Fennessy, Caitlin. The 'Schrems II' decision: EU-US data transfers in question. July 16, 2020. URL: https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in question/ (last accessed 30.10.2020).
10. Kaufmann, Julia, Valetk, Harry. International: The impact ‘Schrems II’ has on controller-to-controller SCCs. August 15, 2020. URL: https://globalcompliancenews.com/international-the-impact-schrems-ii-has-on controller-to-controller-sccs-28072020/ (last accessed 30.10.2020).