Privacy & Data Protection

Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT

---

The European Commission has adopted on February 5, 2010, a Decision that updates the standard contractual clauses for the transfer of personal data to processors established outside the European Economic Area in countries that are not recognized as offering an 'adequate level of data protection'.

With respect to international transfers of personal data to countries outside of the European Economic Area, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data provides that transfers to such third countries of personal data, which are undergoing processing or are intended for processing after transfer, may take place only if the third country ensures an "adequate level of protection".

However, where a third country does not ensure an adequate level of protection, under certain conditions, Member States may nevertheless authorize a transfer of personal data to that third country.

This is i.a. the case where the controller (who sends the personal data to the processor in the third country) adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. Such safeguards may in particular result from the use of appropriate contractual clauses in the contract entered into between the controller and the processor .

In that respect, Directive 95/46/EC provides that the European Commission may decide that certain standard contractual clauses offer sufficient safeguards for transfers of personal data to a third country that does not offer an adequate level of protection.

The European Commission did so with respect to the so-called "controller to processor" standard contractual clauses, which were approved by Commission Decision 2002/16/EC.

These standard contractual provisions allow companies to comply with the obligation to ensure "adequate protection" for personal data when it is transferred to processors outside the European Economic Area who are located in countries that do not ensure an adequate level of protection. Indeed, these standard contractual clauses are automatically considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of the individuals concerned.

The February 5, 2010, Decision of the European Commission, has modified the standard contractual clauses to be applied in case of a transfer of personal data from the controller to the processor. It has done so in order to take into account the expansion of processing activities and new business models for international processing of personal data. The new text contains specific provision to allow, under certain conditions, the outsourcing of processing activities by the processor in the third country to "sub-processors", while ensuring a constant protection of personal data. It inter alia provides for specific rules on which entity (controller / processor / sub-processor) can be held liable in case a data subject has suffered damage as a consequence of a violation of privacy and data protection obligations.

Links:
The new standard contractual clauses can be found at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF

For more information, contact: Frederik Van Remoortel.