Commission Decision on Transfer of Personal Data

The model contracts and clauses for the transfer of personal data to third countries established by Commission Decision

Published under Risk Management
Title: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC;
and the Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries
Source reference: http://ec.europa.eu/
Topic: Export of personal data to third countries, specifically non-E.U. countries which have not been recognised as having a data protection level that is adequate (i.e. equivalent to that of the E.U.)
Direct / indirect relevance Direct. The text directly prescribes an obligation to assess security measures with regard to data processing and to take the required security precautions.
Scope: The Commission Decisions both define a distinct set of model clauses which can be adopted on a voluntary basis by parties wishing to export personal data outside the E.U., in compliance with the Data Protection Directive
Legal force: Model clauses, i.e. strictly voluntary.
Affected sectors: Can be adopted on a voluntary basis by any parties wishing to export personal data outside the E.U.
Relevant provision(s): Commission decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC – Annex – Standard Contractual Clauses – Appendix 2 to the Standard Contractual Clauses

Clause 5 – Obligations of the data importer
The data importer agrees and warrants:
(b) to process the personal data in accordance with mandatory data protection principles set out in Appendix II; […]
[…]
(d) at the request of the data exporter to submit its data processing facilities for which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications, selected by the data exporter, where applicable, in agreement with the supervisory authority.
[…]

Appendix 2 to the standard contractual clauses – Mandatory data protection principles referred to in the first paragraph of Clause 5(b)
[…]

 

4. Security and confidentiality – technical and organisational measures must be taken by the data controller that are appropriate to the risks, such as unauthorised access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the controller.

Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries – Annex - SET II - Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)

II. Obligations of the data importer
The data importer warrants and undertakes that:
(a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
[…]
(g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
[…]

Annex A – Data processing principles

 

4. Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
Relevance to RM/RA: Both Commission Decisions provide a set of voluntary model clauses which can be use to export personal data from a data controller (who is subject to E.U. data protection rules) to a data processor outside the E.U. who is not subject to these rules or to a similar set of adequate rules.

Upon acceptance of the model clauses, the data controller must warrant that she has taken the appropriate legal, technical and organisational measures to ensure the protection of the personal data against (inter alia) accidental loss, destruction or unauthorised access, including by acts of the data processor.

Furthermore, the data processor must agree to permit auditing of its security practices to ensure compliance with applicable European data protection rules.
Latest publications
Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies