The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.
The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract:
Step 1 – National law compliance.
A Model Contract can help a company in the EU that intends on sending data to a company outside of the EU (e.g., one located in the United States) satisfy itself that the data, once received, will be safeguarded appropriately. The Model Contract does not, however, ensure that the company which intends to send data has a right to collect data in the first place, to process it, or to send it to a third party (regardless of the third party’s location). As a result, before implementing the Model Contract a company that intends to transmit data should examine the national law in which it sits to determine whether it has appropriately collected personal information and whether its intended processing of that information is legally permitted.
Step 2 – Implementation of applicable Model Contract.
The first step when implementing a Model Contract is to determine which of the three templates should be used. That determination largely depends upon whether the company receiving the data will be a “data controller” or a “data processor” under EU law. A “data controller” is defined within the EU Directive as a company that “determines the purposes and means of the processing of personal data.” Whether an organization is, or is not, a data controller is not controlled by contract, data ownership, or data license – it is based upon whether, in fact, an entity determines how data is processed. Specifically, the term has been interpreted as applying to any entity that determines “how long data shall be stored,” or “who shall have access to the data.” If some, or all, of these decisions are made jointly with other organizations both organizations are considered data controllers. A “data processor” is defined within the EU Directive as a company that acts only on “behalf of the controller” and does not, by itself, have a right to determine the means or purpose of processing. As a result, a company that is able to determine how long data is stored, when data is destroyed, and/or to whom data is given does not qualify as a “data processor” under the Directive. If the recipient is a data controller one of the two controller-controller Model Contracts should be selected; if the recipient is a data processor, the controller-processor Model Contract should be selected.
Once the correct Model Contract has been selected, a company can revise and modify it to suit their needs – so long as the modifications do not interfere with the substantive rights and obligations contained within the template. For example, a company can decide whether the Model Contract should be a stand-alone agreement, an exhibit to an existing agreement between the parties, or integrated into a larger contract.
Step 3 – National law administrative requirements (e.g. notification or registration with local Data Protection Authority).
Many countries within the EU currently require that a company that enters into a Model Contract take an additional step of notifying the Data Protection Authority of the existence of the agreement. The notification requirements differ by country. For example, some countries simply require that the Data Protection Authority be alerted that a transfer is occurring; other countries require that the Model Contract itself be filed with the Data Protection Authority. These national requirements will largely be removed over the next couple of years as European data privacy laws are unified as part of pan-Europe privacy reforms.
[1] EU Commission Decisions – Set I Controller – Controller 2001/497/EC (amended by C(2004)5271); Set II Controller - Controller C(2004) 5271; Controller – Processor C (2010) 593.
