By Patrick Van Eecke and Elisabeth Verbrugge
Working Party 29 issued a working document on model clauses for personal data transfers from EU data processors to non-EU sub-processors. This is an important step towards creating a more comprehensive framework for contract-based personal data transfers outside the EEA.
European data protection laws in principle prohibit the transfer of personal data to countries outside the EEA which are not deemed to offer an adequate level of protection. As only a very limited number of countries are deemed to offer such adequate level of protection, the processing of personal data in global companies or in a cross-border context in general, often proves to be a challenge. Indeed, transfers to such third countries are only permitted in case an exception applies, or in case the data controller adduces additional safeguards, e.g. via conclusion of a data transfer agreement. The European Commission has approved three sets of model clauses which can be used as a basis for such data transfer agreements. Subject to local notification and approval requirements, transfer agreements based on those model clauses will typically provide a sufficient legal basis for data transfers. To date, the European Commission has only approved model clauses governing “controller-to-controller” and “controller-to-processor” transfers.
However, practice demonstrates that companies are often confronted with an EU controller – EU processor – non-EU sub-processor set-up. The transfer of personal data outside the EEA only occurs in the processor – sub-processor relationship, and not in the controller – processor relationship. In such case, companies are often forced to rely on one of the exceptions permitting data transfers (which is often a challenge as the exceptions can rarely be invoked in relation to large-scale data transfers), or to create a customised data transfer agreement (which offers less legal security and/or is subject to burdensome approval processes).
We therefore welcome Working Party 29’s initiative to take the first steps towards creating model clauses for processor-to-processor data transfers. Indeed, such model clauses will complement the existing model clauses framework and facilitate compliance with European data protection laws. It should, however be noted that these draft new model clauses have not yet adopted been by the European Commission and therefore do not constitute a new official set of model clauses. Use of these new model clauses will not yet guarantee compliance with data transfer requirements. It can, however, be expected that using these draft new model clauses could facilitate approval from the local data protection authority in countries where customised transfer agreements are subject to such data protection authority approval.