Under the terms of European data protection laws, a UK business
must not transfer personal data, such as the names and addresses of
its customers, to any country without equivalent protection for
individuals’ privacy. This would include, for example, the UK
branch of a US company wanting to e-mail marketing data back to its
parent company in the US.
The draft contract is designed for downloading, completing and
signing by the data exporter and data importer. It provides that an
affected individual would be able to enforce his or her rights
under the contract as a beneficiary of it.
The data exporter must warrant under the contract that, for
instance, if sensitive personal data is involved, the individual
concerned has consented to the transfer to a country without an
adequate level of protection. The data importer also makes several
undertakings to ensure compliance with the general principles of
data protection found in EU law, such as offering an individual
equivalent rights of access to and correction of data held as those
to which he or she would be entitled in the country from which the
data is exported.
The Commission is inviting comments from any interested parties
before 16th October.
