The Decision simplifies the process for companies and
organisations wishing or needing to transfer personal data for
"processing" in a third country, a term which covers any use of the
data. In particular, the Decision offers companies a
straightforward means of complying with their legal obligation to
ensure "adequate protection" for personal data transferred to
countries outside the EU. Use of these standard contractual clauses
will be voluntary.
Under the standard contractual clauses, an EU company exporting
data should instruct its subcontractor to treat the data with full
respect to the EU data protection requirements and should guarantee
that appropriate technical and security measures are in place in
the destination country. It complements a previous Decision which
laid down standard clauses for the transfer of personal data to
controllers. A data controller is any person or organisation
determining the means of processing, or using, the data. The data
processor is a subcontractor using the data on behalf of the
controller.
The standard contractual clauses are only one of several
possibilities under the EU data protection Directive for lawfully
transferring personal data outside the EU. The present Decision
spells out the rights and obligations of the data controller in the
EU and the data processor established in a non-EU country and the
necessary safeguards that both need to fulfil in order to be able
to carry out the processing of personal data outside the EU.
The standard contractual clauses are not compulsory for
businesses. However, the advantage of using these standard clauses
when transferring personal data to processors in countries outside
the EU is that Member States' data protection authorities are
obliged to recognise that these transfers enjoy adequate
protection. The standard contractual clauses therefore add a new
possibility to those already existing under the Data Protection
Directive, which establishes several cases where data may still be
transferred to countries where the data protection regime is not
adequate. These include cases where individuals have given their
unambiguous consent for data to be transferred outside the EU and
where the transfer is necessary for the conclusion or performance
of a contract in the interest of the data subjects. In addition,
Member States' data protection authorities may authorise such
transfers on a case by case basis when they are satisfied that the
processing in a non-EU country enjoys "adequate protection".
Contractual clauses are not necessary for the transfer of
personal data within the EEA (European Economic Area EU, plus
Iceland, Norway and Liechtenstein), to those countries whose own
data protection regimes have been recognised by the Commission as
offering adequate protection (so far, Switzerland, Hungary and
Canada), or to US companies adhering to the 'Safe Harbor' Privacy
Principles issued by the US Department of Commerce.
