EEU model contractual clauses
Please note: This is one of a series of guides about overseas
transfers of personal data. If you're new to that subject, read
the introduction to overseas
transfers first.
The European Commission has published model contractual clauses,
use of which will ensure Principle 8 compliance (see our OUT-LAW
guide Options for Principle 8
compliance). The UK Information Commissioner has approved
the use of the model contractual clauses as a means of ensuring
adequacy under Principle 8, however this approval only extends to
use of the model contractual clauses as they stand, or with
additional contractual language added to them that doesn't
contradict them in any way. Any amendments to the model
contractual clauses, even where such amendment does not affect the
meaning of the clauses, will mean that the data controller does not
benefit from the Information Commissioner's approval, however the
data controller may still make use of such amended clauses as part
of its own assessment of adequacy (see our OUT-LAW guide Options for Principle 8 compliance.
The standard contractual clauses are designed to facilitate
transfers of personal data from the EEA to all third countries,
while providing sufficient safeguards for the protection of the
privacy of individuals. These clauses offer an alternative means of
fulfilling adequacy requirements such as consent but organisations
intending to transfer personal data to third countries are not
obliged to use these clauses if they could pass the adequacy test
by taking one of the other routes (see our OUT-LAW guide Options
for Principle 8 compliance).
There are two sets of model clauses produced by the European
Commission; one governs controller-to-controller transfers and the
other controller-to-processor transfers. There is also an
additional approved set, put forward by a group of international
business associations, which covers controller-to-controller
transfers. There are currently no clauses for
processor-to-processor transfers.
In essence, both data importer and exporter have to warrant and
undertake that they have complied with data protection standards
which meet the requirements of the Data Protection Directive in
respect of the data. They must accept liability to data subjects
for breach of those standards, with cross indemnities to ensure
that the one responsible for the actual breach meets the cost of
the breach. For example, both sides agree to meet requests from
data subjects relating to the right of access to personal data and
to reply to requests for information from the data protection
authorities. Both sides warrant that the processing they undertake
is lawful with respect to their own laws, and both sides agree to
be sued if damage is caused to data subjects.
The data importer based outside the EEA has the most onerous
task. This importer has, in addition, to agree to limit processing
to the specification in the contract. So, for example, the personal
data transferred by the data exporter cannot be used, disclosed or
transferred to another party without the prior written consent of
the exporter.
In addition, the data importer must adopt appropriate levels of
security, identify all staff who require training in data
protection matters, and notify the data exporter of those laws
which allow the authorities in the importer's country to access the
exporter's personal data. Failure to comply with these provisions
will permit the data exporter to terminate the contract with the
importer. Finally, the contract also provides for other termination
requirements and deals with jurisdictional matters. The Mandatory
Data Protection Principles are annexed to the standard contractual
clauses. Understandably, organisations have concerns about the role
of these clauses in a commercial transaction as they are not
particularly user-friendly but they are often the simplest option
if the data exporter can persuade the overseas organisation to sign
up to them.
See: The text of the
standard contractual clauses.
© Pinsent Masons 2008
