RESPONSABILI DEL TRATTAMENTO DI SAN MARINO? L’ART. 28 GDPR NON BASTA !
3 Gennaio 2019
FATTURAZIONE ELETTRONICA: DURO PROVVEDIMENTO DEL GARANTE PRIVACY CONTRO L’AGENZIA DELLE ENTRATE (del 20/12/2018)
3 Gennaio 2019
It is known that San Marino Republic, which is located in the Italian peninsula, and has European culture, European economics, European money, nevertheless, politically is not located in EU.
In may 2018 (not so promptly, to be honest) the San Marino’s Government approved a bill on the “Protection of natural persons with regard to the processing of personal data”, which has been approved definitively on 21 December 2018. Through the link below it’s possible to read the full text of the law (in Italian only): https://www.consigliograndeegenerale.sm/on-line/home/streaming-video-consiglio/scheda17161069.html
While waiting for the European Commission to decide if the RSM (Republic of San Marino) could be considered a country that ensures an adequate level of protection of the personal data which coudl take place in much later in time, with an adequacy decision pursuant to Article 45 (3) GDPR, we need to understand how to proceed when the data processing by an Italian controller (or by other EU controllers too), imply “data exchanges” with processors established in RSM.
Recently I came in across contracts that designate processors from San Marino Republic as simple processors, as ruled by art. 28 GDPR , with the exact same text of the regular contracts between EU Controllers and EU Processors.
Unfortunately, those kind of contracts, that work perfectly between EU players, do not work if the data processors are established extra EU.
This il exactly the case of RSM’s data processors: they are established outside the EU.
If that wrong solution is adopted by Italian controller, or also by a controller from any other EU country, this could cause serious repercussions to the EU controllers, considering the serious penalties imposed by art. 83, par. 5, c) GDPR. This can also cause the loss of trust in RSM’s processors who did not advise EU controllers about this issue, mainly if the controllers are not Italians.
The RSM’s data processors are located in an “extra EU” country. Then it will be necessary to use the standard clauses adopted by the EU Commission, pursuant art. 46, par. 2, letter c) GDPR.
Even though the EU Commission has not yet decided about new standard clauses pursuant art. 46, par. 2, letter c) GDPR, the fact that art. 45(9) GDPR establishes that decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a new Commission Decision, this fact allows us to think that also the standard clauses previously adopted by the EU Commission, pursuant art. 26 Directive 95/46/EC are still in force.
The Italian Supervisory authority, replying to my formal question, answered to me – off-the-record – that this solution is right!
In fact, I recently have had the chance to write some contracts for some RSM’s processors, with this kind of standard clauses.
In the last two years I helped correct the final text of GDPR, writing to the European Legislative Office some suggestions and corrections.
I got a certificate of my skills as GDPR consultant and Data Protection Officer, by the Italian official certification agency (ACCREDIA).
I help companies and enterprises to be compliant with the GDPR and I write contracts to govern the relationship between controller and processor and between processor and sub-processor, as all other kind of documents, since the Records of processing activities till the informations pursuant art. 13 e 14 GDPR.
If you need to regulate your data transfer towards RSM’s processors, or towards other extra EU countries, do not hesitate and contact me by email or by phone here:
email: info@studiolegalecucci.net
Francesco Cucci,
attorney and DPO
italian version of this article: here
