The Spanish Data Protection Authority ("Agencia Espanola Proteccion Datos - AEPD") has recently issued its highest fine to date, totaling ?8.15 million for several breaches of GDPR and national legislation by a multinational telecommunication company and its service providers. Notably, ?2 million of this fine was attributable to its service provider conducting an international transfer of personal data to a country that did not comply with the European data protection requirements.

Following the Schrems II ruling, European supervisory authorities are increasing their scrutiny of the safeguards and controls being adopted by organisations when conducting international transfers and processing of personal data. This case demonstrates that organisations that transfer and use significant amounts of personal data in the context of operations that are heavily outsourced or reliant on chains of counterparties in different countries may be particularly at risk of future enforcement action.

Data transfers

Under Article 44 of the GDPR, businesses transferring personal data abroad (i.e. outside of the EEA and UK) must put in place appropriate safeguards unless data protection law in the country the data is being transferred to is classed as offering adequate data protection.

The most commonly used safeguard for transfers to countries not classed as adequate are the Standard Contractual Clauses ("SCCs") which set out the obligations of both the importing and exporting party with regard to the protection of personal data and the enforceable rights of the data subjects against both these parties.

The fines in detail

A ?2 million fine was issued for the international transfer of personal data without sufficient protection for customer personal data. In this case, the multinational business relied on an outsourced service provider (i.e. a data processor) to conduct certain database operations with respect to its customers' personal data.  This outsourced service provider used a subcontractor (i.e. a sub-processor) based in Peru without any contractual provisions being put in place to ensure the transfer of personal data to Peru occurred in a manner that complied with the European data protection requirements.

The remainder of the ?8.15 million fine consisted of:

  1. ?4 million for using service providers that did not implement sufficient measures to comply with the GDPR (such as security measures);
  2. ?2 million for these service providers sending marketing communications to customers without their consent (which included marketing communications being sent to those who had previously opted out of or had objected to receiving them); and
  3. ?150,000 for using cookies technologies to conduct marketing communications without checking if customers had opted out first.

Conclusion

The AEPD concluded that there was insufficient documentation and an overall lack of control and supervision about how customer data was treated as well as there being a lack of awareness about the documentation the multinational had in place by third parties processing customer data on its behalf.

The AEPD noted that these concerns most likely arose because the majority of operations were outsourced. Similarly placed multinational companies should regularly review the sufficiency of the controls they have in place that relate to their use of data processors and sub-processors in response to this.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.