Transferring Personal Data to non-EU countries: Standard Contractual Clauses

SUMMARY OF:

Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC

WHAT IS THE AIM OF THE DECISION?

It lays down standard contractual clauses which can be used by data controllers* (exporters) in the EU that transfer personal data* to data processors* (importers) established outside the EU or EEA, to provide appropriate data protection safeguards and thereby comply with the requirements of EU data protection laws (the general data protection regulation — Regulation (EU) 2016/679 — see summary).

KEY POINTS

The standard contractual clauses are set out in the annex to the decision as follows. Standard contractual clauses only relate to data protection and can be included by the parties in a wider contract or be supplemented with other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by this decision.

Clause 1: Definitions

Definitions of key notions used in the standard contractual clauses are set out.

Clause 2: Transfer details

The parties should list, in an annex to the contractual clauses, the details of the transfers, including the relevant activities of the data importer and exporter, the categories of personal data transferred and the processing operations to which the personal data will be subject once transferred.

Clause 3: Third-party beneficiary clause

The clause allows data subjects to enforce several of the clauses against the data exporter, data importer or sub-processor as a third-party beneficiary. It furthermore provides that the parties do not object to a data subject being represented by an association or other body if permitted by national law.

Clause 4: Obligations of the data exporter

This clause lays down the contractual obligations for the data exporter, which has to agree and warrant to:

process the personal data only in accordance with data protection law;
instruct the data importer to process the data only on the data exporter’s behalf and in accordance with data protection law and the clauses;
provide (and comply with) sufficient guarantees in respect of technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in particular where processing is over a network;
inform the data subject if special categories of data could be transmitted to a non-EU country with inadequate data protection;
forward the notification that it has received from the data importer about the latter’s inability to comply with the clauses to the competent supervisory authority, if it decides to continue the transfer;
make available to data subjects, upon request, a copy of the clauses, with a summary description of the security measures;
in the event of sub-processing, the sub-processor must provide at least the same level of personal data protection as the data importer.

Clause 5: Obligations of the data importer

This clause lays down the contractual obligations of the data importer, which has to agree and warrant:

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the clauses;
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract;
to promptly notify any change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the clauses, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
to implement specified technical and organisational security measures before processing the personal data transferred;
to promptly notify the data exporter about requests to disclose personal data by a law enforcement authority, any accidental or unauthorised access, and any request received directly from the data subjects without responding to the request, unless otherwise authorised;
to deal promptly with all inquiries from the data exporter and to abide by the advice of the supervisory authority;
at the request of the data exporter, to submit its data-processing facilities for audit of the processing activities covered by the clauses;
to make available to data subjects, upon request, a copy of the clauses, with a summary description of the security measures;
to hire a sub-processor only with prior written consent of the data exporter.

Clause 6: Liability

The clauses require the parties to agree that any data subject who has suffered damages as a result of any breach of the obligations is entitled to receive compensation from the data exporter for the damages suffered.

Clause 7: Mediation and jurisdiction

The data importer must agree that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages, it will accept the decision of the data subject to refer the dispute to independent mediation, or to the courts in the EU country in which the data exporter is established (with the right to seek remedies under other national or international laws).

Clause 8: Cooperation with supervisory authorities

This clause governs the cooperation with the competent supervisory authority, by providing that:

the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor;
the data importer agrees to inform the data exporter about any legislation preventing an audit of the data importer. In such a case the data exporter shall be entitled to suspend data transfer or terminate the contract.

Clause 9: Governing law

The clauses should be governed by the national law of the EU country in which the data exporter is established.

Clause 10: Variation of the contract

The parties must not vary, modify or contradict the clauses.

Clause 11: Sub-processing

The provisions relating to sub-processing should be governed by the law of the EU country in which the data exporter is established.

Clause 12: Obligation after the termination of personal data-processing services

This clause regulates the obligations of the parties after termination of the data processing. In particular, the parties should agree that at the end of data-processing services, the data importer and the sub-processor must return (or destroy, on request) all the personal data transferred unless prevented from doing so by legislation.

FROM WHEN HAS THE DECISION APPLIED?

It has applied since 15 May 2010.

BACKGROUND

Note: this decision was the subject of a request for preliminary ruling that led to the Court of Justice of the EU judgment (Case C-311/18) of 16 July 2020, in which the Court confirmed the validity of the decision.
The European Commission has also issued 2 sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or EEA.
See also:
- Data protection (European Commission).

KEY TERMS

Data controller: the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.

Personal data: any information relating to a person (data subject) who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

MAIN DOCUMENT

Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, pp. 5-18)

Successive amendments to Decision 2010/87/EU have been incorporated into the original text. This consolidated version is of documentary value only.