The Decision modifies current standard contractual clauses to
take account of the expansion of processing activities and new
business models for international processing of personal data. It
contains specific provision to allow, under certain conditions, the
outsourcing of processing activities to sub-processors, while
ensuring a constant protection of personal data.
Outsourcing companies outside the EU will now have to get
written permission to subcontract the processing of personal data
after the European Commission changed arrangements permitting the
export of such information.
The EU's data protection regime limits the export of personal
data outside the European Economic Area (EEA) which comprises the
EU, Iceland, Norway and Liechtenstein.
A small handful of countries have proved their data protection
regimes the equivalent of the EU's and so are permitted to receive
personal data without further steps (Switzerland, Canada,
Argentina, Guernsey, the Isle of Man and Jersey), while the US has
a special arrangement, the Safe Harbour scheme, under which
participating US companies can receive data if they promise to
abide by rules over and above US law.
For transfers to all other countries there must be specific data
protection contractual arrangements in place before the personal
data of EU residents can be sent to companies based there for
processing. The European Commission produces standard clauses that
are used in such contracts.
The Commission has changed the terms of those clauses to allow
companies in non-European Economic Area (EEA) countries to
sub-contract work, but only with the explicit permission of client
companies.
"According to the newly adopted Decision, where a data importer
(processor) intends to subcontract any of its processing operations
performed on behalf of the EU data exporter (controller), it must
first obtain the prior written consent of the data exporter," said
a Commission statement. "The written contract will impose the same
obligations on the sub-processor as those imposed on the data
importer under the standard contractual clauses."
"Where the sub-processor fails to fulfil its data protection
obligations, the data importer shall remain fully liable to the
data exporter for the performance of the sub-processor's
obligations. Moreover the sub-processing shall only consist of the
processing operations agreed in the initial contract entered into
by the data EU exporter and the data importer," it said.
The change was intended to help the contractual clauses to
reflect better the way that companies are doing business.
"This updated version of the standard contractual clauses takes
account of new business models and the growing trends to global
processing and outsourcing," said Commission vice president Jacques
Barrot "The updated standard contractual clauses ensure a
balance between global business needs and protection of EU
citizens' personal data."
The Commission said that any deals already agreed or in
operation could continue according to existing contracts, but that
as soon as a new deal was agreed it must comply with the new
rules.
"If the parties to the contract wish to make changes to the
contract or wish to introduce sub processing arrangements, they
will be required to enter into a new contract, which shall comply
with the updated version of the contractual clauses," it said.
A committee comprising all the EU's data protection
commissioners, the Article 29 Working Party, last year criticised
previous Commission plans to order only EU-based companies to
include full model contracts, a move that it said undermined the
ability of EU companies to compete with those outside the
Union.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
