The Decision simplifies the process for companies and organisations wishing or needing to transfer personal data for "processing" in a third country, a term which covers any use of the data. In particular, the Decision offers companies a straightforward means of complying with their legal obligation to ensure "adequate protection" for personal data transferred to countries outside the EU. Use of these standard contractual clauses will be voluntary.
Under the standard contractual clauses, an EU company exporting data should instruct its subcontractor to treat the data with full respect to the EU data protection requirements and should guarantee that appropriate technical and security measures are in place in the destination country. It complements a previous Decision which laid down standard clauses for the transfer of personal data to controllers. A data controller is any person or organisation determining the means of processing, or using, the data. The data processor is a subcontractor using the data on behalf of the controller.
The standard contractual clauses are only one of several possibilities under the EU data protection Directive for lawfully transferring personal data outside the EU. The present Decision spells out the rights and obligations of the data controller in the EU and the data processor established in a non-EU country and the necessary safeguards that both need to fulfil in order to be able to carry out the processing of personal data outside the EU.
The standard contractual clauses are not compulsory for businesses. However, the advantage of using these standard clauses when transferring personal data to processors in countries outside the EU is that Member States' data protection authorities are obliged to recognise that these transfers enjoy adequate protection. The standard contractual clauses therefore add a new possibility to those already existing under the Data Protection Directive, which establishes several cases where data may still be transferred to countries where the data protection regime is not adequate. These include cases where individuals have given their unambiguous consent for data to be transferred outside the EU and where the transfer is necessary for the conclusion or performance of a contract in the interest of the data subjects. In addition, Member States' data protection authorities may authorise such transfers on a case by case basis when they are satisfied that the processing in a non-EU country enjoys "adequate protection".
Contractual clauses are not necessary for the transfer of personal data within the EEA (European Economic Area EU, plus Iceland, Norway and Liechtenstein), to those countries whose own data protection regimes have been recognised by the Commission as offering adequate protection (so far, Switzerland, Hungary and Canada), or to US companies adhering to the 'Safe Harbor' Privacy Principles issued by the US Department of Commerce.