Brussels, 22nd January 2002
Data protection: Standard contractual clauses to facilitate personal data transfers to third countries for processing
The European Commission has adopted a Decision setting out standard contractual clauses for the transfer of personal data to processors (subcontractors) established in non-EU countries that are not recognised as offering an adequate level of data protection. The Decision simplifies the process for companies and organisations wishing or needing to transfer personal data for processing in a third country. In particular, the Decision offers companies a straightforward means of complying with their obligation to ensure "adequate protection" for personal data transferred to countries outside the EU. Use of these standard contractual clauses will be voluntary. Under the standard contractual clauses, an EU company exporting data should instruct its subcontractor to treat the data with full respect to the EU data protection requirements and should guarantee that appropriate technical and security measures are in place in the destination country. It complements Decision 2001/497/EC (IP/01/851) which laid down standard clauses for the transfer of personal data to controllers.
Internal Market Commissioner Frits Bolkestein, said "This is an additional practical measure making it easier for companies and organisations to comply with their obligation to ensure "adequate protection" for personal data transferred from the EU to the rest of the world while safeguarding individuals' right to privacy."
The standard contractual clauses are only one of several possibilities under the EU data protection Directive (95/46/EC) for lawfully transferring personal data outside the EU. The present Decision spells out the rights and obligations of the "Data Controller" in the EU (i.e. any person or body determining the purposes and the means of the processing) and the "Data Processor" established in a non-EU country (i.e. a subcontractor processing the data on behalf of a data controller) and the necessary safeguards that both need to fulfil in order to be able to carry out the processing of personal data outside the EU.
The standard contractual clauses are not compulsory for businesses. However, the advantage of using these standard clauses when transferring personal data to processors in countries outside the EU is that Member States' data protection authorities are obliged to recognise that these transfers enjoy adequate protection. The standard contractual clauses therefore add a new possibility to those already existing under the Data Protection Directive, which establishes several cases where data may still be transferred to countries where the data protection regime is not adequate. These include cases where individuals have given their unambiguous consent for data to be transferred outside the EU and where the transfer is necessary for the conclusion or performance of a contract in the interest of the data subjects. In addition, Member States' data protection authorities may authorise such transfers on a case by case basis when they are satisfied that the processing in a non-EU country enjoys "adequate protection".
The Decision also does not prevent national Data Protection Authorities authorising other 'ad hoc' contractual arrangements for international data transfers as long as these authorities are satisfied that the contracts in question provide sufficient safeguards for the protection of the fundamental rights and freedoms of individuals and, in particular, their right to privacy.
Contractual clauses are not necessary for the transfer of personal data within the EEA (European Economic Area EU, plus Iceland, Norway and Liechtenstein), to those countries whose own data protection regimes have been recognised by the Commission as offering adequate protection (so far, Switzerland, Hungary and Canada), or to US companies adhering to the 'Safe Harbor' Privacy Principles issued by the US Department of Commerce (see IP/00/865 and IP/02/46).
The harmonisation of data protection rules in the EU aims to ensure the free movement of information (including personal data) between Member States, whilst at the same time ensuring a high level of protection for any person concerned. In the case of non-EU countries, Directive 95/46/EC requires Member States to permit transfers of personal data only where there is "adequate protection" for such data, unless one of a limited number of specific exemptions applies. Without such rules, the high standards of data protection established by the Directive could be quickly undermined, given the ease with which data can be moved around using international networks.
The Commission has declared its readiness to examine and if appropriate approve other sets of standard contractual clauses submitted by business organisations or other interested parties.
Further information about this decision and the standard contractual clauses are available on the Europa website: