An overview
Chapter V of the General Data Protection Regulation ("GDPR") restricts transfers of personal data outside the EEA unless the country to which the personal data is being transferred to has an EC adequacy decision or appropriate safeguards are taken.
Appropriate safeguards are listed in the GDPR and are intended to ensure that the same level of protection for data subjects' rights and freedoms is maintained whenever personal data is transferred.
The standard contractual clauses adopted by the European Commission ("EC"), also known as the Model Clauses, are one of the appropriate safeguards listed in the GDPR and are probably the most used option. The Model Clauses are drafted on the basis that they be entered into by the data exporter based in the EEA and the data importer based outside the EEA. They contain contractual obligations for the data exporter and data importer, and guarantee rights for data subjects whose personal data is transferred. The Model Clauses need to be used in their entirety and cannot be amended, although clauses on commercial issues can be added as long as such additions do not contradict the Model Clauses.
The EC adopted four sets of Model Clauses under Directive 95/46/EC, the predecessor of the GDPR. These comprise of two sets for restricted transfers between a controller and controller, and two sets for restricted transfers between a controller and processor. Please note that the earlier set of controller/processor clauses is no longer used for new contracts; these are only valid for contracts entered into prior to 2010. When making a restricted controller to controller transfer either set of (controller to controller) Model Clauses can be used depending on which one suits the commercial arrangement best.
As set out above, the current Model Clauses only address restricted transfers relating to controller to controller or controller to processor arrangements, and mainly focus on transfers from controllers based in the EEA. The Model Clauses cannot be used when personal data is transferred from a controller based in the EEA to a processor based in the EEA and then to a subprocessor based outside the EEA. The Article 29 Working Party (predecessor of the European Data Protection Board) however identified 3 different possibilities that could provide a legal framework for a transfer from a processor based in the EEA to a subprocessor based outside the EEA:
– direct contracts between controllers based in the EEA and processors based outside the EEA;
– including a clear contractual mandate from controllers based in the EEA to processors outside the EEA to use Model Clauses in their name and on their behalf; and
– ad-hoc contracts authorised by the relevant data protection authority (such as the ICO in the UK).
Please note that in the event of a no-deal Brexit, for data protection purposes, the UK would become a third country. Considering the applicability of the currently available Model Clauses, a no-deal Brexit creates challenges for organisations transferring personal data to and from the EEA. For example, UK (third country) controllers transferring personal data to the EEA would not be able to rely on the Model Clauses and UK (third country) subprocessors are not covered by the current Model Clauses. In reality, only UK processors and UK controllers that receive personal data from controllers based in the EEA would still be able to operate under the current Model Clauses. Considering that the Model Clauses might not be appropriate in all situations, we recommend reviewing your current and future data transfer arrangements and to verify what appropriate safeguarding measures to use.
We know that the EC plans to update the existing Model Clauses for the GDPR. Until that happens, the Directive-based Model Clauses can still be used when appropriate. Existing contracts incorporating the Model Clauses can continue to be used even after the EC has adopted GDPR Model Clauses. A different set of Model Clauses addressing the vacuum of transfers between processors based in the EEA and subprocessors based outside the EEA were drafted in 2014. These draft Model Clauses were however not formally adopted by the EC and therefore they cannot be recognised as an appropriate safeguard at this stage, despite the clear need for such Model Clauses addressing the processor/subprocessor situation and current political developments.
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.