Saturday, November 7, 2015

Model Contracts for the transfer of personal data to third countries

Overview

The Council and the European Parliament have given the Commission the power to decide, on the basis of Article 26 (4) of directive 95/46/EC that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.
The Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processorsestablished outside the EU/EEA.

Contractual clauses

1. “(EU-)controller to (Non-EU/EEA-)controller”
2. “(EU-)controller to (Non-EU/EEA-)processor”
The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.
The frequently asked questions on international transferspdf(407 kB) provide additional information on the principles and use of the standard contractual clauses.

Legislation

Commission Decision 2001/497/EC Controller to Controller transfers (amended by Commission Decision C(2004) 5271)

Commission Decision C(2004)5271
Controller to Controller transfers

Commission Decision C(2010)593
Controllers to Processors transfers
(repealing Decision 2002/16/EC)

Procedure for adoption

The procedure for adoption by the Commission of standard contractual clauses, in accordance with thecomitology process, is as follows:
  • proposal from the Commission;
  • an opinion by Member States' data protection authorities and the EDPS, in the framework of the Article 29 Working Party;
  • an approval from the "Article 31 Committee", composed of representatives of Member States, under the comitology "examination procedure";
  • the adoption of the decision by the College of Commissioners;
  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that it act exceeds the implementing powers provided for in the Directive.
The effect of such a decision is that by incorporating the standard contractual clauses into a contract, personal data can flow from a Data Controller established in any of the 28 EU MS and three EEA member countries (Norway, Liechtenstein and Iceland) to a Data Controller or to data processors established in a country not ensuring an adequate level of data protection.

Additional documentation

Commission Staff Working Document SEC(2006)95

Commission Decision 2002/16/EC (repealed by Commission Decision C(2010)593)

No comments:

Post a Comment