Please note: This is one of a series of guides about overseas transfers of personal data. If you're new to that subject, read the introduction to overseas transfers first.
From 15th May 2010, European data controllers have to use new 'model clauses' in contracts that control overseas transfers of personal data to non-European data processors.
What are model clauses?
A separate OUT-LAW guide, Model clauses for transferring personal data overseas: an overview, explains the basics. In brief, though, they are a means of achieving adequacy under Principle 8 of the UK Data Protection Act 1998 so that personal data can be transferred from an EEA (European Economic Area) country to a non-EEA country. The EEA comprises the 27 member states of the European Union as well as Iceland, Liechtenstein and Norway.
The model clauses are approved by the European Commission and there are clauses covering data controller to data controller transfers and data controller to data processor transfers. New model clauses were approved in February 2010 for data controller to data processor transfers and must be used from 15th May 2010.
When do we have to use the new model clauses?
The new model clauses need to be used after 15th May 2010 if:
- you are a data controller in the EEA and you start transferring personal data outside the EEA to a data processor; or
- you are a data controller in the EEA and have an existing contract where personal data is transferred outside the EEA to a data processor (based on the previous version of the model clauses) but something changes in relation to that contract (for example, there is a change to processing operations or there is subcontracting for the first time).
What are the differences?
The main difference between the new clauses and the previous ones is that the new clauses take account of the expansion of processing activities and deal with the situation where there is further outsourcing of processing to sub-processors.
In particular, the key changes are:
A definition of sub-processors has been added. This extends not just to someone acting as a sub-processor to the main processor (data importer) but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain. A sub-processor is someone who agrees to process personal data in accordance with the data controller’s (i.e. data exporter's) instructions, terms of the model clauses and the terms of the written subcontract.
A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer (the model clauses suggest that this could be satisfied by the sub-processors co-signing the contract between the data exporter and the data importer). The data importer remains fully liable for the activities of its sub-processors.
The data importer is required to send a copy of any sub-processing contract to the data exporter. The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority (in the UK, the Information Commissioner).
The previous version provided that if a data subject suffered damage then they had a right to enforce against the data exporter. If the data exporter had factually disappeared, ceased to exist or become insolvent then the data subject had a right to enforce against the data importer. The new clauses provide that if the data importer has similarly disappeared then the data subject can claim from the sub-processor (unless any successor entity has taken on the entire legal obligations for either the data exporter or the data importer). However, the sub-processor's liability is limited to its own processing operations.
Other provisions that referred previously to the data importer are extended to refer to the sub-processor. For example, once the contract is terminated the sub-processor warrants that all personal data will be returned or destroyed confidentially and that an audit can be carried out; and where the data exporter previously agreed to make available, on request, a copy of the clauses to a data subject, this extends to providing a copy of the subprocessing contract.
Practical points for data controllers
Make sure that you have a list and copies of all sub-processing agreements and keep this updated.
If something changes on an existing contract with a non-EEA data processor, update with the new model clauses.
Practical points for data processors
Make sure that all terms in the contract between the data controller and you flow through to any sub-processing agreements.
Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract. In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor.
It may be worth separating the data protection element from a larger contract if you don't want the jurisdiction to be that of the data controller for all contractual terms and if you don't want to have to provide copies of the commercial terms to the data controller.