The European Commission recently approved* new model clauses for the transfer of personal data from a data controller established in the EU to a data processor established in a third country outside the EEA. The new "controller to processor" model clauses, which replace the clauses approved by Decision 2002/16/EC, come into effect on 15 May 2010. The "controller to controller" model clauses (approved by Decisions 2001/497/EC & 2004/915/EC) remain unchanged.
Pursuant to the EU Data Protection Directive 95/46/EC personal data may only be transferred to third countries outside the EEA** if that third country ensures an adequate level of data protection***, or one of a limited number of specified exemptions applies (such as the data subject giving his/her consent to the transfer). Directive 95/46/EC provides that the European Commission may decide that certain standard contractual clauses offer sufficient safeguards for transfers of personal data to a third country that does not offer an adequate level of protection.
The main change implemented by the new "controller to processor" model clauses is that they contain express provisions allowing the outsourcing by the data processor of its processing activities to another sub-processor(s). The current "controller to processor" model clauses have been criticised as not taking into account the practice of more globalised data processing activities and the onwards transfers of data from a data processor established in a third country to another non-EEA sub-processor.
The new model clauses contain a number of restrictions in respect of any sub-processing activities. The data importer is required to inform the data exporter and obtain its prior written consent before disclosing the personal data to a third party processor. In addition, the sub-processing must consist only of the same operations agreed in the contract between the data exporter and the data importer. The data importer must also enter into a written contract with the sub-processor, incorporating the same model clauses as the contract between the data exporter and the data importer, and must provide the data exporter with a full copy of the sub-contract. If the sub-processor fails to fulfil its data-processing obligations under the contract, the data importer remains liable toward the data exporter. (Similarly, the data exporter remains liable for any default of the data importer).
The new model clauses are enforceable not only by the organisations which are party to the contract, but also by the data subjects, particularly where the data subjects suffer damage as a result of a breach of the contract. The data subjects have a third party beneficiary right to take an action against the data exporter (i.e. the data controller), or in some cases against the data importer (i.e. the data processor), for any breach by the data importer or any sub-processor under it, where the data exporter has disappeared or has ceased to exist in law or has become insolvent. The data subject may also bring an action directly against the sub-processor for its default in the event that the data exporter and the data importer are no longer around. The liability of the sub-processor will be limited to its own processing operations under the model clauses.
The data protection obligations in the contract between the data importer and its sub-processors will be governed by the law of the Member State in which the data exporter is established, enabling a third party beneficiary to enforce the contract.
The new model clauses do not apply to the situation in which, a data processor established in the EEA and processing personal data on behalf of a data controller established in the EEA, subcontracts his processing activities to a sub-processor established in a third country outside the EEA. In such circumstances, the data controller may enter into the new model clauses directly with the non-EEA sub-processor.
Existing "controller to processor" contracts concluded under clauses approved by Decision 2001/16/EC will remain valid, unless the parties to the contract wish to make changes to the existing contract. In that event the parties will need to enter into a new contract, which includes the new model clauses.
The new "controller to processor" model clauses are available to download from the Data Protection Commissioner's website: www.dataprivacy.ie