On 5 February the European Commission adopted a Decision to update the standard “Controller to Processor” standard contractual clauses (these are the clauses that had been approved by Commission Decision 2002/16/EC).

The Decision contains specific provisions which allow, under certain conditions, the outsourcing of processing activities to sub-processors, while at the same time ensuring a constant protection of personal data.

Under the newly adopted Decision, where a data importer (processor) intends to sub-contract any of its processing operations performed on behalf of an EU data exporter (controller), it must meet a number of conditions, including:-

  • the data importer must first obtain the prior written consent of the data exporter
  • the written contract has to impose the same obligations on the sub-processor as those imposed on the data importer by the data exporter under the standard contractual clauses
  • where the sub-processor fails to fulfil its data protection obligations, the data importer shall remain fully liable to the data exporter
  • the sub-processing may only consist of the processing operations agreed in the initial contract entered into by the data exporter and the data importer.

Data exporters and importers who are operating under the 2002 version of the “Controller to Processor” standard contractual clauses but who wish to make provision for the appointment of sub-processors will be required to enter into a new contract which complies with the updated version of the contractual clauses.

The updated version of the standard contractual clauses take into account new business models and the growing trends to global processing and outsourcing, and takes into account recommendations included in the Report on the implementation of the Commission Decisions on standard contractual clauses for the transfer of personal data to third countries (SEC(2006)95).