Please note: This guide was last updated in May 2010. It is one of a series of guides about overseas transfers of personal data. If you're new to that subject, read the introduction to overseas transfers first.
The European Commission has published model contractual clauses, use of which will ensure Principle 8 compliance (see our OUT-LAW guide, Options for Principle 8 compliance).
The UK Information Commissioner has approved the use of the model contractual clauses as a means of ensuring adequacy under Principle 8, however this approval only extends to use of the model contractual clauses as they stand, or with additional contractual language added to them that doesn't contradict them in any way.
Any amendments to the model contractual clauses, even where such amendment does not affect the meaning of the clauses, will mean that the data controller does not benefit from the Information Commissioner's approval. However, the data controller may still make use of such amended clauses as part of its own assessment of adequacy.
The standard contractual clauses are designed to facilitate transfers of personal data from the European Economic Area (EEA) to all third countries, while providing sufficient safeguards for the protection of the privacy of individuals. These clauses offer an alternative means of fulfilling adequacy requirements, such as consent, but organisations intending to transfer personal data to third countries are not obliged to use these clauses if they could pass the adequacy test by taking one of the other routes.
There are two sets of model clauses produced by the European Commission. One governs controller-to-controller transfers and the other controller-to-processor transfers.
The controller-to-processor model clauses were amended in 2010 to include any subprocessors (see our OUT-LAW guide, Model Clauses for transferring personal data overseas: the May 2010 changes). There is also an additional approved set, put forward by a group of international business associations, which covers controller-to-controller transfers. There are currently no clauses for processor-to-processor transfers.
In essence, all parties have to warrant and undertake that they have complied with data protection standards which meet the requirements of the Data Protection Directive in respect of the data.
A data importer cannot subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer. The data importer remains fully liable for the activities of its subprocessor. Where subprocessors are involved, the data exporter must have a list and copies of all subprocessor agreements.
The data exporter and importer must accept liability to data subjects for breach of those standards, with cross indemnities to ensure that the one responsible for the actual breach meets the cost of the breach.
For example, both sides agree to meet requests from data subjects relating to the right of access to personal data and to reply to requests for information from the data protection authorities. Both sides warrant that the processing they undertake is lawful with respect to their own laws, and both sides agree to be sued if damage is caused to data subjects.In addition, if a subprocessor is involved and the data importer has factually disappeared then the data subject may sue the subprocessor.
The data importer based outside the EEA has the most onerous task. This importer has, in addition, to agree to limit processing to the specification in the contract. The data importer must also adopt appropriate levels of security, identify all staff who require training in data protection matters, and notify the data exporter of those laws which allow the authorities in the importer's country to access the exporter's personal data. Failure to comply with these provisions will permit the data exporter to terminate the contract with the importer.
Finally, the contract also provides for other termination requirements and deals with jurisdictional matters.
The Mandatory Data Protection Principles are annexed to the standard contractual clauses. Understandably, organisations have concerns about the role of these clauses in a commercial transaction as they are not particularly user-friendly but they are often the simplest option if the data exporter can persuade the overseas organisation to sign up to them.