New EC "Data Controller to Data Processor" Model Clauses for Transfers of Personal Data Outside the EEA
The European Commission has recently approved in Decision 2010/87/EU new model clauses for the transfer of personal data from a data controller established in the EU to a data processor established in a third country outside the EEA. The new "data controller to data processor" model clauses, which replace the clauses approved by Decision 2002/16/EC, came into effect on 15 May 2010. The "data controller to data controller" model clauses (approved by Decisions 2001/497/EC & 2004/915/EC) remain unchanged. Pursuant to the EU Data Protection Directive 95/46/EC personal data may only be transferred to countries outside the European Economic Area if that recipient country ensures an adequate level of data protection, or one of a limited number of specified exemptions applies (such as the data subject giving his/her consent to the transfer).
This means that from 15 May 2010, any data controller wishing to demonstrate “adequacy” by using the EU “data controller to data processor” model clauses will need to use these new 2010 model clauses.
Existing "data controller to data processor" contracts concluded under clauses approved by Decision 2001/16/EC will remain valid, unless the parties to the contract wish to make changes to the existing contract. In that event the parties will need to enter into a new contract, which includes the new model clauses.
The main change implemented by the new "data controller to data processor" model clauses is that they contain express provisions allowing the outsourcing by the data processor of its processing activities to another sub-processor(s). The previous "data controller to data processor" model clauses had been criticised for not taking into account the practice of more globalised data processing activities and the onwards transfers of data from a data processor established in a third country to another non-EEA sub-processor. The new model clauses contain a number of restrictions in respect of any sub-processing activities. The data importer is required to inform the data exporter and obtain its prior written consent before disclosing the personal data to a third party processor. In addition, the sub-processing must consist only of the same operations agreed in the contract between the data exporter and the data importer. The data importer must also enter into a written contract with the sub-processor, incorporating the same model clauses as the contract between the data exporter and the data importer, and must provide the data exporter with a full copy of the sub-contract.
The new 2010 model clauses are available to download from the EU’s Eur-Lex website: eur-lex.europa.eu/LexUriServ/LexUriServ.do(pdf.)
