European Commission updates standard controller to processor clauses for non-EEA transfers

Updated March 2010

In February 2010, the European Commission adopted a Decision to update the standard contractual clauses that can be used in relation to the transfer of personal data to processors in non-EEA countries.

Why is this relevant?

Organisations may wish to transfer personal data internationally for many reasons, including as part of an off-shore outsourcing, for internal international group company purposes or as part of a business transaction. Such cross border transfers of personal data are governed by the European Data Protection Directive (the Directive) and the implementing legislation of each Member State (in the UK this is the Data Protection Act 1998). The key principle of the Directive is to ensure that personal data lawfully processed in the EU remains subject to protection when transferred to "third countries" outside the EEA. If a third country has not been specifically recognised (by the European Commission or the Member State) as offering an adequate level of protection, other safeguards must be put in place. If such safeguards are absent, the transfer of personal data will be illegal.

One such safeguard available under the Directive is the use of appropriate contractual clauses for the transfer of data from EU data controllers to third country processors. In December 2001, as permitted by the Directive, the European Commission issued a set of model contractual clauses for this purpose. The clauses include provisions relating to:

• the particular data transfer,
• the obligations of the data controller initiating the transfer,
• the obligations of the third country data processor receiving the data, and
• the rights of data subjects to enforce certain provisions against the data controller and the data processor.

Data controllers may use these clauses to ensure that their personal data is lawfully transferred outside the EEA.

How are the new clauses different?

To view the European Commission's press release, the Decision and the revised model clauses (included at Annex 1 to the Decision), please see Related Links.

The main change in the revised clauses is that, for the first time, third country data processors will be permitted to outsource processing to other sub-processors. This is permitted so long as:

• the sub-processor enters into a written sub-processing contract (incorporating specified provisions);
• the sub-processor ensures that the sub-processing will be carried out in accordance with certain requirements; and
• the data processor obtains the written consent of the data controller.

There are also administrative requirements relating to the notification, record-keeping and availability of sub-processing contracts.

Importantly if a sub-processor fails to fulfil its data protection obligations under the sub-processing agreement, the original data processor will remain liable to the data controller for the breach of its obligations under that contract.

The rights of data subjects have been extended under the revised clauses. In addition to being able to enforce contractual obligations against the data controller and the data processor, the data subject will now also be able to enforce certain rights against the sub-processor.

When must the new clauses be used?

The revised clauses are to come into force on 15th May 2010 and any contracts concluded between data controllers and third country data processors made after that date must be modelled on the new clauses. Any contracts made before that date will remain in force on the old terms but, if an existing contract is amended after 15th May 2010, the parties must enter into a new contract based on the updated clauses.

Comment

The new clauses have been welcomed as better reflecting the realities of the way data processing arrangements operate in the present day. In its press release the European Commission stated that the modifications were made to "take account of the expansion of processing activities and new business models of companies for international processing of personal data". The Commission vice president stated that "the updated standard contractual clauses ensure a balance between global business needs and protection of EU citizen's personal data."

The change will particularly be welcomed by organisations that have processing arrangements where costs are kept down by sub-contracting to sub-processors abroad with lower overheads.

Should you require any further advice in relation to the use of model standard contractual clauses or other ways to lawfully conduct international transfers of personal data, please contact a member of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2010. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

The information you access via the links on this update is subject to the terms and conditions of the website provider accessible via their home page and we recommend that you read such terms.