The possibility of subcontracting of services involving access to data by a third party is regulated in article 21 of Royal Decree 1720 / 2007, of 21 December, which approves the regulation of development of the organic law 15/1999, of 13 December, of protection of personal data, in its title III relating to the charge of treatment. Subcontracting for the provision of services is something that can become something quite normal, so we will summarized in a simple way which means according to the activity and its fundamental characteristics. The first point to be treated are the subjects involved. As we know the data protection act when it comes to the supply of services involving access to data identifies two parts, responsible for the file and the responsible of the treatment. Association is the place to go. As well, when it comes to subcontracting, do that third company that appears in the equation that figure assumes? The data protection Act makes it clear that the outsourced company will assume the figure in charge of the treatment, with all the obligations and duties of this figure, and is that the company that subcontracts do not as responsible for the treatment of the person in charge but it does so on behalf and on account of this.
Therefore in this situation we could speak of the existence of a file manager and two responsible for treatment on the same situation or service provided. The next question that may arise is when you can outsource, or if the will of the responsible of the treatment is enough to do so. For the outsourcing of service between the Manager and the Manager is mandatory condition have the express consent of the owner of the file, either at the time of the hiring of service or a posteriori but always prior to subcontracting. Once you have the authorisation of the person responsible for, the last step is to regularize the situation between the processor and the outsourced company. Here the legislation refers us to the already established for contracts between file managers and managers of treatment to regulate access to data for the provision of a service, namely the contract of the Article 12 of the data protection act. Ultimately, the data protection Act regulates subcontracting very similarly to as it does when it is simply a relationship between the owner of the file and the responsible for the treatment, not recognizing the subcontractor as a new figure and assigning the same personality and obligations as a responsible of the treatment. Audea Alvaro Aritio Department right ICT information security