What is the limit for controllers’ due diligence for international sub-contractors?

Fernanda Viana, a lawyer in Brazil, reports on a case involving Vodafone Spain’s “internal transfer penalty” in light of Schrems II and the EDPB Recommendation.

There are important questions that should be raised following the Schrems II decision. Will data controllers be able to supplement the Standard Contractual Clause (SCC) guarantees and to verify, prior to a transfer, whether the protections required by EU law will be met? How feasible is it for controllers to verify the level of foreign intelligence surveillance in third countries anywhere in the world before they make data transfers?

A recent decision from Spain sheds light on some of these concerns. On 11 March 2021, Spain’s Data Protection Authority (AEPD) imposed a fine on Vodafone España, S.A.U (Vodafone) amounting to €8.15 million.(1) The company hired an operator for its clients’ database operations, which used a subcontractor in Peru, without any contractual provisions to guarantee the legality of the transfer. The sanction was for:

Continue reading

International Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.