2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance
OJ L 385, 29.12.2004, p. 74–84 (ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, NL, PL, PT, SK, SL, FI, SV)
OJ L 306M , 15.11.2008, p. 69–79 (MT)
Special edition in Bulgarian: Chapter 13 Volume 47 P. 72 - 82
Special edition in Romanian: Chapter 13 Volume 47 P. 72 - 82
Special edition in croatian Chapter 13 Volume 016 P. 210 - 220
CS DA DE EL EN ES ET FI FR HU IT LT LV NL PL PT SK SL SV
|Bilingual display: BG CS DA DE EL EN ES ET FI FR HU IT LT LV NL PL PT RO SK SL SV|
of 27 December 2004
amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries
(notified under document number C(2004) 5271)
(Text with EEA relevance)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data , and in particular Article 26(4) thereof,
(1) In order to facilitate data flows from the Community, it is desirable for data controllers to be able to perform data transfers globally under a single set of data protection rules. In the absence of global data protection standards, standard contractual clauses provide an important tool allowing the transfer of personal data from all Member States under a common set of rules. Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC  therefore lays down a model set of standard contractual clauses which ensures adequate safeguards for the transfer of data to third countries.
(2) Much experience has been gained since the adoption of that Decision. In addition, a coalition of business associations  has submitted a set of alternative standard contractual clauses designed to provide a level of data protection equivalent to that provided for by the set of standard contractual clauses laid down in Decision 2001/497/EC while making use of different mechanisms.
(3) Since the use of standard contractual clauses for international data transfers is voluntary as standard contractual clauses are only one of several possibilities under Directive 95/46/EC, for lawfully transferring personal data to a third country, data exporters in the Community and data importers in third countries should be free to choose any of the sets of standard contractual clauses, or to choose some other legal basis for data transfer. As each set as a whole forms a model, data exporters should not, however, be allowed to amend these sets or totally or partially merge them in any manner.
(4) The standard contract clauses submitted by the business associations aim at increasing the use of contractual clauses among operators by mechanisms such as more flexible auditing requirements and more detailed rules on the right of access.
(5) Moreover, as an alternative to the system of joint and several liability provided for in Decision 2001/497/EC, the set now submitted contains a liability regime based on due diligence obligations where the data exporter and the data importer would be liable vis-à-vis the data subjects for their respective breach of their contractual obligations; the data exporter is also liable for not using reasonable efforts to determine that the data importer is able to satisfy its legal obligations under the clauses (culpa in eligendo) and the data subject can take action against the data exporter in this respect. The enforcement of clause I(b) of the new set of standard contractual clauses is of particular importance in this regard, in particular in connection with the possibility for the data exporter to carry out audits on the data importers’ premises or to request evidence of sufficient financial resources to fulfil its responsibilities.
(6) As regards the exercise of third party beneficiary rights by the data subjects, greater involvement of the data exporter in the resolution of data subjects' complaints is provided for, with the data exporter being obliged to make contact with the data importer and, if necessary, enforce the contract within the normal period of one month. If the data exporter refused to enforce the contract and the breach by the data importer still continues, the data subject may then enforce the clauses against the data importer and eventually sue him in a Member State. This acceptance of jurisdiction and the agreement to comply with a decision of a competent court or data protection authority does not prejudice any procedural rights of data importers established in third countries, such as rights of appeal.
(7) In order, however, to prevent abuses with this additional flexibility, it is appropriate to provide that data protection authorities can more easily prohibit or suspend data transfers based on the new set of standard contractual clauses in those cases where the data exporter refuses to take appropriate steps to enforce contractual obligations against the data importer or the latter refuses to cooperate in good faith with competent supervisory data protection authorities.
(8) The use of standard contractual clauses will be made without prejudice to the application of national provisions adopted pursuant to Directive 95/46/EC or to Directive 2002//58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) , in particular as far as the sending of commercial communications for the purposes of direct marketing is concerned.
(9) On that basis, the safeguards contained in the submitted standard contractual clauses can be considered as adequate within the meaning of Article 26(2) of Directive 95/46/EC.
(10) The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion  on the level of protection provided under the submitted standard contractual clauses which has been taken into account.
(11) In order to assess the operation of the amendments to Decision 2001/497/EC, it is appropriate that the Commission evaluates them three years after their notification to the Member States
(12) Decision 2001/497/EC should be amended accordingly.
(13) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
Decision 2001/497/EC is amended as follows:
1. In Article 1 the following paragraph is added:
"Data controllers may choose either of the sets I or II in the Annex. However, they may not amend the clauses nor combine individual clauses or the sets."
2. In Article 4 paragraphs 2 and 3 are replaced by the following:
"2. For the purposes of paragraph 1, where the data controller adduces adequate safeguards on the basis of the standard contractual clauses contained in set II in the Annex, the competent data protection authorities are entitled to exercise their existing powers to prohibit or suspend data flows in either of the following cases:
(a) refusal of the data importer to cooperate in good faith with the data protection authorities, or to comply with their clear obligations under the contract;
(b) refusal of the data exporter to take appropriate steps to enforce the contract against the data importer within the normal period of one month after notice by the competent data protection authority to the data exporter.
For the purposes of the first subparagraph, refusal in bad faith or refusal to enforce the contract by the data importer shall not include cases in which cooperation or enforcement would conflict with mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, in particular sanctions as laid down in international and/or national instruments, tax-reporting requirements or anti-money-laundering reporting requirements.
For the purposes of point (a) of the first subparagraph cooperation may include, in particular, the submission of the data importer’s data processing facilities for audit or the obligation to abide by the advice of the data protection supervisory authority in the Community.
3. The prohibition or suspension pursuant to paragraphs 1 and 2 shall be lifted as soon as the reasons for the prohibition or suspension no longer exist.
4. When Member States adopt measures pursuant to paragraphs 1, 2 and 3, they shall without delay inform the Commission which will forward the information to the other Member States.".
3. In Article 5 the first sentence is replaced by the following:
"The Commission shall evaluate the operation of this Decision on the basis of available information three years after its notification and the notification of any amendment thereto to the Member States.".
4. The Annex is amended as follows:
1. After the title the term "SET I" is inserted.
2. The text set out in the Annex to this Decision is added.
This Decision shall apply from 1 April 2005.
This Decision is addressed to the Member States.
Done at Brussels, 27 December 2004.
For the Commission
Member of the Commission
 OJ L 281, 23.11.95, p. 31. Directive as amended by Regulation (EC) No 1883/2003 (OJ L 284, 31.10.2003, p. 1).
 OJ L 181, 4.7.2001, p. 19.
 The International Chamber of Commerce (ICC), Japan Business Council in Europe (JBCE), European Information and Communications Technology Association (EICTA), EU Committee of the American Chamber of Commerce in Belgium (Amcham), Confederation of British Industry (CBI), International Communication Round Table (ICRT) and the Federation of European Direct Marketing Associations (FEDMA).
 OJ L 201, 31.7.2002, p. 37.
 Opinion No 8/2003, available at: http://europa.eu.int/comm/privacy
+++++ ANNEX 1 +++++