On November 26st, 2014, the EU Article 29 Working Party[1] (the "Working Party") issued a "Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on ‘Contractual Clauses’ Considered as compliant with the EC Model Clauses".[2] The co-operation procedure (the "Procedure") aims to coordinate and harmonize the process between competent national data protection authorities ("DPA") relating to the assessment of contractual clauses to ensure compliance with EU data protection legislation. It is intended to further simplify intra-group data transfers based on standard contractual clauses (the "SCC").

The Working Party proposed the Procedure against the background of Article 26(2) of Directive 95/46/EC.[3] This article enables companies to utilize contractual clauses to adduce sufficient safeguards to legally frame international transfers of personal data from the EU. The European Commission previously issued three decisions on SCC: two for controller-to-controller transfers and one for controller-to-processor transfers.[4] Most contracts used by companies for international transfers of personal data are either entirely based on SCC, or are mostly based on SCC with selected divergences including additional clauses. If a contract is compliant with SCC, it reduces the number of national authorizations required for the international transfer (depending on national legislation)[5]. In many EU Member States, DPAs are not only required for the use of ad-hoc contracts (including modified SCC)[6], but also for the use of unmodified SCC[7]. Therefore, if different DPAs need to be approached for analyzing and approving the same contract as the same set of clauses is to be signed by group companies in various EU Member States, there is a risk the competent DPAs will not reach the same conclusion.

Launching the Co-Operation Procedure

To launch the Procedure, the company, whose contract is to be assessed, may approach the DPA it believes is best placed to lead and carry out the assessment (the "Entry DPA"). The submitted documentation must include a copy of the contract in written and electronic form, clearly indicating the reference number of the utilized SCC, highlighting all divergences and additional clauses and indicating the list of EEA Countries from which the company will be carrying out the transfers.[8]

The Procedure itself will then be led and carried out by the authority in charge of analyzing whether or not the proposed contract is in conformity with the SCC (the "Lead DPA")[9], which does not necessarily need to be the Entry DPA. The Lead DPA must be amongst the DPAs in the EU Member States from which the transfers will take place. It is the relevant company’s obligation to justify the reasons why a given DPA (e.g., the chosen Entry DPA) should be considered as Lead DPA[10]. Relevant criteria to determine the Lead DPA are:

  • the location from which the contractual clauses are decided and elaborated;
  • the place where most decisions in terms of the purposes and means of the processing are taken;
  • the best location for handling of the application and the enforcement of the contractual clauses in terms of management functions, administrative burden, etc.;
  • the EU Member States from which most transfers outside the EEA will take place; and
  • the location of the relevant company’s European headquarters or the location of the company within the group with delegated data protection responsibilities.[11]

The DPAs may, however, decide which DPA is in fact the most appropriate to be deemed as Lead DPA and may transfer the application to another DPA. This might also be the case due to an overload of requests. The Entry DPA will give the relevant company an answer within two weeks if the Procedure is appropriate and it accepts to act as Lead DPA. If the Entry DPA is willing to act as Lead DPA it will then forward the application to the other competent DPAs who may raise – within another two weeks – objections as to why they deem to be designated as Lead DPA and must indicate whether they agree to act as reviewing DPA(s).[12]

Phases of the Co-Operation Procedure 
The Procedure sub-divides into four stages:

  • Within the so-called "Review Process", a system of mutual recognition, similar to the one proposed for Binding Corporate Rules ("BCR")[13], is put in place.[14] If ten or more EU Member States are affected, three DPAs will be involved (one Lead DPA, two (co-)reviewer DPAs). If less than ten EU Member States are affected, the results of the Lead DPA will be reviewed by one DPA. As in the BCR mutual recognition, the Review Process will not only be used for harmonization purposes, but also in terms of exchange of expertise[15]. If the original geographical scope is extended at a later point in time, the additional competent DPAs are free to conduct their own analysis and are not bound by the decision taken in the context of a Procedure they were not part of[16]. If the Lead DPA takes the point that the contract is compliant with the SCC it expresses its opinion in a draft letter (the "Draft Letter") which is communicated with the proposed contract to the (co )reviewer(s)[17]. The (co )reviewer(s) will assess the contract within one month. If there is no answer from a (co-)reviewer in time, it will be deemed to have agreed to the Draft Letter.
  • At the end of the Review Process, the proposed contract, the Draft Letter and the analysis will be communicated to the other competent DPAs. DPAs that are part of the Review Process will acknowledge receipt of the documentation and, when the Draft Letter indicated compliance, accept this opinion as sufficient basis for providing their own approval (as applicable) or for providing positive advice to the body that provides such approval.[18] DPAs not part of the Review Process shall – within one month – comment the draft letter. If there is no answer in time, they will be deemed to have agreed to the draft letter.
  • The Procedure ends, if all reviewers and all DPAs not part of the Review Process have agreed on the Draft Letter. The Lead DPA will then sign the letter on behalf of the competent DPAs and send it to the relevant company (including information on whether the contract is in compliance with SCC).
  • As the decision in the Draft Letter refers to compliance with SCC, this does not exclude the potential requirement for approvals at national level.[19] Once the Procedure is closed, the relevant company may ask any competent national bodies for their approval (as applicable). Such bodies might in particular assess the annexes to the contract, e.g. including the data transfer description.

We look forward to seeing how the Procedure is implemented in practice. Given the "best practices" and experience gained by the DPAs within the BCR mutual recognition process, the Procedure might lead to a significant simplification for intra-group data transfers for modified SCC