The European Commission today adopted new standard contractual clauses for use when organisations transfer personal data to data processors in countries outside the European Economic Area.
There are a number of legal compliance mechanisms that organisations can use to ensure “adequate protection” for personal data being transferred to processors outside the EEA in countries not recognised as offering an adequate level of data protection. The standard contractual clauses are, however, one of the most popular routes to legal compliance because where used they allow transfers to be made on relatively short notice.
The European Commission previously approved a set of standard contractual clauses for transfers to data processors in 2001. The new 2010 clauses:
· For the first time provide a legally compliant mechanism for data processor to data processor transfers as long as the data controller provides its consent in writing and the same data protection obligations are imposed on the data sub-processor as are imposed on the original data processor;
· Provide that the original data processor will remain liable for any data protection breaches by the data sub-processor;
· Relate to personal data transfers made from data controllers in the EEA to data processors outside the EEA. They do not, however, apply where transfers are made from data processors in the EEA to data sub-processors outside the EEA, although national data protection authorities may allow these new clauses to be used for these purposes;
· Must be used where any changes are made to contracts with existing data processors or where new contracts are entered into with new data processors. Where an organisation has already used the 2001 clauses to justify a transfer, this will remain compliant until such times as new contracts are entered into. The Commission has, however, said "If the parties to the contract wish to make changes to the contract or wish to introduce sub processing arrangements, they will be required to enter into a new contract, which shall comply with the updated version of the contractual clauses";
· Have deleted the mandatory arbitration clause contained in the 2001 clauses and which many businesses had objected to.
The European Commission’s Press Release about these new clauses can be found here. "This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing" said Vice-President of the European Commission.
Please contact us should you require any advice about international data transfers of personal data that you have already made or intend to make. We can advise you both about use of the standard contractual clauses and also about use of the other mechanisms for legally compliant transfer.