Under the terms of European data protection laws, a UK business must not transfer personal data, such as the names and addresses of its customers, to any country without equivalent protection for individuals’ privacy. This would include, for example, the UK branch of a US company wanting to e-mail marketing data back to its parent company in the US.
The draft contract is designed for downloading, completing and signing by the data exporter and data importer. It provides that an affected individual would be able to enforce his or her rights under the contract as a beneficiary of it.
The data exporter must warrant under the contract that, for instance, if sensitive personal data is involved, the individual concerned has consented to the transfer to a country without an adequate level of protection. The data importer also makes several undertakings to ensure compliance with the general principles of data protection found in EU law, such as offering an individual equivalent rights of access to and correction of data held as those to which he or she would be entitled in the country from which the data is exported.
The Commission is inviting comments from any interested parties before 16th October.