On March 21st, 2014, the EU Article 29 Working Party (the "Working Party") issued the "Working document 01/2014 on Draft Ad hoc contractual clauses 'EU data processor to non-EU sub-processor'" (the "Draft Contractual Clauses"). The Working Party decided to propose a new set of contractual clauses dedicated to the international transfers of personal data from an EU data processor (data exporter) to a non-EU data sub-processor (data importer) and subsequent sub-processors (as applicable).
The Background of the Working Party's initiative is the "Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council" (the "Standard Contractual Clauses"). The decision sets out the EU's safeguards and conditions to frame the processing activities of a data processor and potential sub-processors in a third country. It shall ensure that the data controller maintains sufficient control over those activities, thus ensuring that the personal data being transferred continue to be adequately protected.
The decision applies to transfers of personal data from data controllers established in the EU to data processors established in third countries. However, it does not apply to the situation in which a data processor established in the EU performs the processing of personal data on behalf of a data controller established in the EU and subcontracts his processing operation to a sub-processor established in a third country. The Draft Contractual Clauses are intended to fill this gap.
Whereas the Draft Contractual Clauses have not been adopted by the European Commission and therefore neither constitute a new official set of model clauses nor a finalized set of ad hoc clauses that may be used by companies in order to offer sufficient guarantees in accordance with Article 26(2) of Directive 95/46/EC, they give at least an impression on how a future set of contractual clauses may look.
The Draft Contractual Clauses are similarly structured and composed as the Standard Contractual Clauses. However, the Draft Contractual Clauses aim at transposing the substance of the Standard Contractual Clauses from a controller-to-processor based relationship to a processor-to-sub-processor(s) based relationship. Key topics of the Draft Contractual Clauses are the following:
- The Framework Contract: A main topic of the Draft Contractual Clauses is the incorporation of, and reference to, a so-called "Framework Contract", meaning an agreement concluded between the data controller and the data exporter in accordance with applicable national data protection law transposing Article 17 of Directive 95/46/EC. The Framework Contract takes a defining role in several parts of the Draft Contractual Clauses, notably the data exporter's obligations.
- Security Measures: Applicable data protection law refers to the legislation applicable to the data controller. However, as regards to the security measures, the law where the data exporter is established will also be applicable. If detailed rules regarding to security measures in the law applicable to the data controller and the law applicable to the data exporter as provided by Article 17(3) of Directive 95/46/EC are in conflict, the law of the data exporter shall prevail.
- Third-party Beneficiary Clause and Liability Provisions: The data controller shall primarily be accountable for data protection compliance. If the data controller has factually disappeared or has ceased to exist in law, the data exporter, the data importer and any subsequent sub-processor shall have subsidiary liability in a three-tiered concept.
- Governing Law: The Draft Contractual Clauses shall be governed by the law of the Member State in which the data controller is established.
- Sub-Processing: The data importer shall not subcontract any of its processing operations performed on behalf of the data controller under the Draft Contractual Clauses without prior written authorization of the data controller or of the data exporter given on behalf and according to the instructions of the data controller. Depending on the provisions of the Framework Contract, the data controller may have decided that its general prior written authorization is sufficient. Otherwise prior written authorization needs to be given on a case-by-case basis.
- Termination and obligations after termination: The data exporter (and/or the data importer) shall suspend the transfer of data and/or terminate the Draft Contractual Clauses (and/or any sub-processing contract concluded with subsequent sub-processors) according to the instructions of the data controller, and notably when the Framework Contract is terminated. After termination, the data exporter and/or the data importer shall, at the choice of the data controller, return or erase the relevant data.
It will be interesting to follow the further discussion on the Draft Contractual Clauses. This is particularly true with regard to the comprehensive obligations implicitly imposed on the data controller (who is not a party to the Draft Contractual Clauses) by way of the numerous references to the Framework Contract. Given their complexity, it will also be interesting to see whether the Draft Contractual Clauses will gain acceptance towards the existing alternatives (i.e., Standard Contractual Clauses between data controller and non-EU sub-processor(s) and Binding Corporate Rules (BCR) for data processors).