Data Transfers: Standard Contractual Clauses Updated

February 9, 2010

The European Commission has adopted a Decision updating the standard contractual clauses for the transfer of personal data to processors established in non-EU countries that are not recognised as offering an adequate level of data protection (contractual clauses ‘controller to processor’). The adoption of the Decision is effective from 5 February.  

The Decision adopted on 5 February modifies current standard contractual clauses to take account of the expansion of processing activities and new business models of companies for international processing of personal data. Specific provisions allow, under certain conditions, the outsourcing by the processor of its processing activities (sub-processing) to other sub-processor or sub-processors so as to continue to ensure the protection of data subjects. Under these standard contractual clauses, an EU company exporting data (controller) should instruct its processor established in a third country to treat the data with full respect to the EU data protection requirements and should guarantee that appropriate technical and security measures are in place in the destination country. The data subjects are granted a third party beneficiary right against the EU data exporter and, under some circumstances, against the data importer (processor) to enforce several of the contractual obligations entered into the exporter and the data importer in order to ensure the protection of their rights, in particular where the data subjects suffer damage as a consequence of a breach of the contract. 

SCL has been unable to locate an official version of the new standard text; the publication of the text on the OJ and on the internet is envisaged for tomorrow, February 10 (OJ ref no. C(2010)593).

EU Commission Vice-President Jacques Barrot said ‘This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing. The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens’ personal data’.  

The original ‘controller to processor’ standard contractual clauses were approved by Commission Decision 2002/16/EC in order to provide companies with a tool which help them to comply with the obligation to ensure ‘adequate protection’ for personal data when they transfer personal data to processors outside the EU/EEA. Directive 95/46/EC lays down the legal framework for the processing of personal data in the European Union. With regard to international transfers of personal data to non EU/EEA countries, Directive 95/46/EC provides that transfer of personal data to a third country may take place only if the third country ensures an adequate level of protection, unless one of a limited number of specific exemptions applies. Where a third country does not ensure an adequate level of protection, Member States may authorize a transfer or a set of transfers of personal data to that third country where the controller adduces adequate safeguards with respect to the protection of privacy and data protection standards; such safeguards may in particular result from appropriate contractual clauses. Directive 95/46/EC provides that the European Commission may decide that certain standard contractual clauses offer sufficient safeguards for transfers of personal data to a third country that does not offer an adequate level of protection. 

The standard contractual clauses are only one of several possibilities under the EU data protection Directive (95/46/EC) for lawfully transferring personal data outside the EU. They are not compulsory for businesses. However the advantage of using these standard clauses when transferring personal data to processors in countries outside the EU is that, on one hand, companies are obliged to comply with data protection standards and, on the other hand, Member States’ data protection authorities are obliged to recognise that these transfers enjoy adequate protection.

In addition to these standard contractual clauses, the European Commission has also adopted two Decisions which lay down standard clauses for the transfer of personal data to controllers outside the EU/EEA (Decisions 2001/497/EC and 2004/915//EC).