This document is an excerpt from the EUR-Lex website
Document 32010D0087
Transferring Personal Data to non-EU countries: Standard Contractual Clauses
This summary has been archived and will not be updated, because the summarised document is no longer in force or does not reflect the current situation.
It lays down standard contractual clauses which can be used by data controllers* (exporters) in the EU that transfer personal data* to data processors* (importers) established outside the EU or EEA, to provide appropriate data protection safeguards and thereby comply with the requirements of EU data protection laws (the general data protection regulation — Regulation (EU) 2016/679 — see summary).
The standard contractual clauses are set out in the annex to the decision as follows. Standard contractual clauses only relate to data protection and can be included by the parties in a wider contract or be supplemented with other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by this decision.
Clause 1: Definitions
Definitions of key notions used in the standard contractual clauses are set out.
Clause 2: Transfer details
The parties should list, in an annex to the contractual clauses, the details of the transfers, including the relevant activities of the data importer and exporter, the categories of personal data transferred and the processing operations to which the personal data will be subject once transferred.
Clause 3: Third-party beneficiary clause
The clause allows data subjects to enforce several of the clauses against the data exporter, data importer or sub-processor as a third-party beneficiary. It furthermore provides that the parties do not object to a data subject being represented by an association or other body if permitted by national law.
Clause 4: Obligations of the data exporter
This clause lays down the contractual obligations for the data exporter, which has to agree and warrant to:
Clause 5: Obligations of the data importer
This clause lays down the contractual obligations of the data importer, which has to agree and warrant:
Clause 6: Liability
The clauses require the parties to agree that any data subject who has suffered damages as a result of any breach of the obligations is entitled to receive compensation from the data exporter for the damages suffered.
Clause 7: Mediation and jurisdiction
The data importer must agree that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages, it will accept the decision of the data subject to refer the dispute to independent mediation, or to the courts in the EU country in which the data exporter is established (with the right to seek remedies under other national or international laws).
Clause 8: Cooperation with supervisory authorities
This clause governs the cooperation with the competent supervisory authority, by providing that:
Clause 9: Governing law
The clauses should be governed by the national law of the EU country in which the data exporter is established.
Clause 10: Variation of the contract
The parties must not vary, modify or contradict the clauses.
Clause 11: Sub-processing
The provisions relating to sub-processing should be governed by the law of the EU country in which the data exporter is established.
Clause 12: Obligation after the termination of personal data-processing services
This clause regulates the obligations of the parties after termination of the data processing. In particular, the parties should agree that at the end of data-processing services, the data importer and the sub-processor must return (or destroy, on request) all the personal data transferred unless prevented from doing so by legislation.
It has applied since 15 May 2010.
Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, pp. 5-18)
Successive amendments to Decision 2010/87/EU have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)
See consolidated version.
Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (OJ L 385, 29.12.2004, pp. 74-84)
Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181, 4.7.2001, pp. 19-31)
See consolidated version.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, pp. 31-50)
See consolidated version.
last update 07.10.2020