Brussels, 18 June 2001
Data protection: Commission approves standard contractual clauses for data transfers to non-EU countries
The European Commission has adopted a Decision setting out standard contractual clauses ensuring adequate safeguards for personal data transferred from the EU to countries outside the Union. The Decision obliges Member States to recognise that companies or organisations using such standard clauses in contracts concerning personal data transfers to countries outside the EU are offering "adequate protection" to the data. The EU's data protection Directive (95/46/EC) requires all personal data transferred to countries outside the Union to benefit from "adequate protection". Use of these standard contractual clauses will be voluntary but will offer companies and organisations a straightforward means of complying with their obligation to ensure "adequate protection" for personal data transferred to countries outside the EU which have not been recognised by the Commission as providing adequate protection for such data. So far, only Switzerland, Hungary and the US 'Safe Harbor' arrangement have been recognised as providing adequate protection (see IP/00/865).
Internal Market Commissioner Frits Bolkestein, said "This new practical measure will make it easier for companies and organisations to comply with their obligation to ensure "adequate protection" for personal data transferred from the Community to the rest of the world while safeguarding individuals' right to privacy."
The standard contractual clauses contain a legally enforceable declaration ("warrant") whereby both the "Data Exporter" and the "Data Importer" undertake to process the data in accordance with basic data protection rules and agree that individuals may enforce their rights under the contract.
The Commission Decision obliges Member States to recognise the contractual clauses annexed to the Decision as providing adequate safeguards and fulfilling the requirements of the Directive for data transfers to non-EU countries that do not provide for an adequate level of protection for personal data. However, the standard contractual clauses are neither compulsory for businesses, nor are they the only way of lawfully transferring data to third countries. They add a new possibility to those already existing under the Data Protection Directive, which establishes several cases where data may still be transferred to countries where the data protection regime is not adequate. These include cases where individuals have given their unambiguous consent for data to be transferred outside the EU and where the transfer is necessary for the conclusion or performance of a contract in the interest of the data subjects. In addition, Member States' data protection authorities may authorise such transfers on a case by case basis when they are satisfied the data enjoys "adequate protection".
Contractual clauses are not necessary for the transfer of data to Switzerland or Hungary, whose own data protection regimes have been recognised by the Commission as offering adequate protection:, or to US companies adhering to the 'Safe Harbor' Privacy Principles issued by the US Department of Commerce.
Data Protection Authorities in the Member States retain powers to prohibit or suspend data flows in exceptional circumstances, but the effect of this Decision is that they cannot refuse data transfers made under contracts that incorporate the standard contractual clauses approved by the Commission. The Decision also does not prevent national Data Protection Authorities authorising other 'ad hoc' contractual arrangements for the export of data out of the EU based on national law, as long as these authorities are satisfied that the contracts in question provide adequate protection for data privacy.
This Decision is only a first step in developing contractual solutions as a tailor-made tool for the transfer of personal data world-wide. The Commission intends to adopt separate Decisions referring to specific types of transfers and situations. The Commission is consulting Member States and Data Protection Authorities on a new draft Decision concerning standard contractual clauses for the transfer of personal data from data controllers (i.e. any person or body determining 'the purposes and the means of the processing') established in the Community to data processors (i.e. a subcontractor processing the data on behalf of a data controller) established in non-EU countries.
The harmonisation of data protection rules in the EU aims to ensure the free movement of information (including personal data) between Member States, whilst at the same time ensuring a high level of protection for any person concerned. In the case of non-EU countries, Directive 95/46/EC requires Member States to permit transfers of personal data only where there is "adequate protection" for such data, unless one of a limited number of specific exemptions applies. Without such rules, the high standards of data protection established by the Directive could be quickly undermined, given the ease with which data can be moved around using international networks.
The Directive requires the following general principles to be applied:
Further information about this Decision and the standard contractual clauses, including exchanges of letters with business associations and the US Departments of Commerce and Treasury, are available on the Europa website at:
See also MEMO/01/228 for answers to frequently asked questions concerning the Standard Contractual Clauses.