The Article 29 Working Party has published a 'frequently asked questions' guide to the new clauses, which were published in February and came into effect in May.
EU data protection law demands that personal information only be sent and processed outside of the EU if it is given the same protection there as it receives in Europe. This protection can come from the country's laws, as assessed by EU authorities, or from the use of 'model clauses' in data sharing agreements.
The European Commission created new model clauses earlier this year. Those new clauses make it clear that data protection obligations pass to subcontractors outside the EU, taking account of the fact that outsourcing often happens a number of times.
The rules ensure that the first company outside of the EU to which the data is sent remains responsible for its security, even if it sub-contracts some functions to other companies.
The Working Party's advice clarifies that the model clauses do not apply when the first transfer of data happens to a company inside the EU, but outlines ways in which companies could clarify responsibility for data in those circumstances.
The advice also covers the degree to which consent for sub-processing should be general or specific; and in what circumstances new agreements and clauses need to be made.
