Model clauses for overseas transfers of personal data updated

Out-Law News | 08 Feb 2010 | 4:21 pm | 2 min. read

European companies will have to use new standard clauses in the contracts that control their overseas transfers of personal data as a result of a formal Decision adopted by the European Commission on Friday.

The Decision modifies current standard contractual clauses to take account of the expansion of processing activities and new business models for international processing of personal data. It contains specific provision to allow, under certain conditions, the outsourcing of processing activities to sub-processors, while ensuring a constant protection of personal data.

Outsourcing companies outside the EU will now have to get written permission to subcontract the processing of personal data after the European Commission changed arrangements permitting the export of such information.

The EU's data protection regime limits the export of personal data outside the European Economic Area (EEA) which comprises the EU, Iceland, Norway and Liechtenstein.

A small handful of countries have proved their data protection regimes the equivalent of the EU's and so are permitted to receive personal data without further steps (Switzerland, Canada, Argentina, Guernsey, the Isle of Man and Jersey), while the US has a special arrangement, the Safe Harbour scheme, under which participating US companies can receive data if they promise to abide by rules over and above US law.

For transfers to all other countries there must be specific data protection contractual arrangements in place before the personal data of EU residents can be sent to companies based there for processing. The European Commission produces standard clauses that are used in such contracts.

The Commission has changed the terms of those clauses to allow companies in non-European Economic Area (EEA) countries to sub-contract work, but only with the explicit permission of client companies.

"According to the newly adopted Decision, where a data importer (processor) intends to subcontract any of its processing operations performed on behalf of the EU data exporter (controller), it must first obtain the prior written consent of the data exporter," said a Commission statement. "The written contract will impose the same obligations on the sub-processor as those imposed on the data importer under the standard contractual clauses."

"Where the sub-processor fails to fulfil its data protection obligations, the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations. Moreover the sub-processing shall only consist of the processing operations agreed in the initial contract entered into by the data EU exporter and the data importer," it said.

The change was intended to help the contractual clauses to reflect better the way that companies are doing business.

"This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing," said Commission vice president Jacques Barrot  "The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens' personal data."

The Commission said that any deals already agreed or in operation could continue according to existing contracts, but that as soon as a new deal was agreed it must comply with the new rules.

"If the parties to the contract wish to make changes to the contract or wish to introduce sub processing arrangements, they will be required to enter into a new contract, which shall comply with the updated version of the contractual clauses," it said.

A committee comprising all the EU's data protection commissioners, the Article 29 Working Party, last year criticised previous Commission plans to order only EU-based companies to include full model contracts, a move that it said undermined the ability of EU companies to compete with those outside the Union.