The updated standard contractual clauses for the transfer of personal data to processors in non-EU countries steps towards a more even balance between global business needs and the protection of personal data.

On 5 February 2010, the European Commission adopted a decision updating the standard contractual clauses for the transfer of personal data to processors established in non-EU countries not recognised as offering an adequate level of data protection. This decision replaces the 2002 standard contractual clauses and will come into force on 15 May 2010.

Specific provisions will now allow data processors to outsource processing activities to sub-processors under certain conditions, reflecting current business models whilst continuing to protect data subjects' personal data. Data subjects are granted third party beneficiary rights against the EU data exporter and, under some circumstances, against the data importer, to enforce contractual obligations between the exporter and the importer in order to protect their rights and to obtain compensation if a data subject suffers damage as a consequence of a breach.

The updated standard contractual clause now more accurately reflect the reality of data processing arrangements and the Vice President of the EU Commission, Jacques Barrot, believes these updated standard contractual clauses will cater more effectively for new business models and growing trends towards global processing.