How the New EU Rules on Data Export Affect Companies in and Outside the EU
by Dr. Thomas Helbing
On 5 February 2010 the Commission of the European Union (EU) has updated
the set of standard contractual clauses for the transfer of personal data to
processors in non-EU countries. The old clauses are repealed with
effect from 15 May 2010.
Standard contractual clauses are an important instrument
for companies in the EU to comply with national data protection laws
if information on individuals is transferred to or accessed by organizations
outside the EU.
The EU Commission decision is relevant for all organization receiving
personal data - for example customer or employee data - from subsidiaries,
customers or vendors in the EU.
In addition, the new standard contractual clauses will also affect
companies who indirectly receive personal data that originally comes from the
EU, e.g. by providing services to companies which process EU data.
This is because the new standard contractual clauses require from companies
importing personal data from the EU to contractually impose the terms of the
clauses on any subcontractor to which they transfer personal data or grant
In particular, agreements on outsourcing, cloud computing, software
as a service (SaaS) or application service providing (ASP)
and software like Human Resources Information Systems (HRIS) Customer
Relationship Management (CRM) tools and Enterprise Resource Planning (ERP)
software are affected.
Example "CRM": CRM-Ready Inc. is a US-based
company providing a Customer Relationship Management software that clients use
remotely via a web browser (Software as a Service - SaaS). Best-Resell GmbH in
the EU intends to use CRM-Ready's system to store and manage its customer data.
CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU
standard contractual clauses to ensure Best-Resell's compliance with local
Example "HR-Data": Global Workers Ltd. is a
multi-national company headquartered in Japan with subsidiaries in various EU
countries. Names, functions and phone numbers of all employees are stored
centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU
subsidiaries and Global Workers Ltd. agree on the EU standard contractual
clauses to ensure the lawfulness of the intra-group data transfers under EU
In this article we answer the following questions:
is the Concept behind Standard Contractual Clauses?
are the Changes to the Standard Contractual Clauses?
Does the New Subcontracting Scheme of the Clauses Work in Practice?
Do the New Clauses Take Effect and Which Existing Agreements Need to be
Do the Clauses Affect Companies Outside the EU?
A. What is the Concept behind Standard Contractual
If you are familiar with the concept of standard contractual clauses you can
1. Ensuring an "Adequate Level of Data Protection"
A company established in the EU may transfer or make accessible personal
data to a company outside the EU only if an "adequate level" of data
protection is ensured at the recipient. In the terminology of the EU Data
Protection Directive 95/46/EC (Directive) the company in EU is then referred to
as "Data Exporter", the company receiving the Personal Data as
The requirement of an adequate level of data protection also applies
to intra-group transfers, i.e. if the Data Exporter and Data Importer
belong to the same group of companies. A data transfer in the meaning of the EU
Directive also takes place if the Data Importer has access to personal
data of entities established in the EU, for example access to servers
controlled by EU subsidiaries. Further, the term "Personal Data" is
understood very broad and includes any information on individuals, e.g.
business contact details, employee telephone directories or customer lists.
If the Data Exporter and Data Importer enter into a contract that include
the EU standard contractual clauses, the Data Importer is considered to provide
an adequate level of data protection. The standard contractual clauses set
forth rights and obligations in relation to the handling of personal data. They
may not be altered but accompanied by commercial terms (e.g. an underlying
service agreement). There are two annexes to the standard contractual clauses
to be completed by the parties. They contain details on the parties, the
transferred data, the data processing and the technical and organizational
security measures to be implemented by the Data Importer.
The obligation to ensure an adequate level of data protection is laid down
in article 25 para. 1 of the Directive. The Directive is not addressed to
individuals or entities but obliges the EU member states to adopt respective
While the wording of the standard contractual clauses are the same
throughout the EU, member states have taken different approaches as to
the formal requirements: In some EU jurisdictions it suffices to
merely enter into a contract with the standard contractual clauses, others
require the use of the clauses to be notified to their national data protection
authority (DPA) or even to be approval by the authority in advance. Also, local
law requirements in relation to the security requirements to be implemented by
data processor vary considerably.
For the following jurisdictions the EU Commission has determined
that they already ensure an "adequate level" of data protection, so
that Data Importers in these countries do not need to enter into respective
agreements: Switzerland, Canada, Argentina, Guernsey, the Isle of Man and
2. Controllers-Controller and Controller-Processor Transfers
The EU Commission has adopted four
different sets of standard contractual clauses. To select the right set,
the role of the Data Importer must be analyzed: Data Importers can act as
"Data Controllers" or "Data Processors".
The Data Importer takes the role of a Data Processor if it processes and
uses the data solely on behalf of and in accordance with the instructions of
the Data Exporter. Providers of Cloud Computing or Software as a Service (SaaS)
models are usually Data Processors. In contrast, if the Data Importer has the
power to determine for which purposes it uses the data or to decide on the
substantial means of the data processing (e.g. length of storage or access
rights by third parties), then the Data Importer is considered to be a Data
The distinction between Data Controllers and Data Processors can be
difficult and must be made in consideration of the specific factual
circumstances of each case. It is even possible that the Data Importer acts as
Data Processor in relation to certain information and as a Data Controller in
relation to other. The Article 29 Working Party, an independent advisory body
on data protection matters at the EU level, has published an opinion
on the concept of controllers and processors in February 2010.
If the Data Importer is a Data Controller, one of the two sets for
controller-controller transfers must be used. The two sets for
controller-controller transfers are alternatively, companies can choose which
set of clauses they prefer.
If the Data Importer is a Data Processor, the controller-processor clauses
are the right instrument. For controller-processor relationships there is no
right to choose between two sets. On 5 February 2010 the EU Commission has
adopted a decision that updates the old clauses with effect as of 15 May 2010 (for
transition rules, please see below).
3. Alternatives To Standard Contractual Clauses
Standard contractual clauses are one of several means to ensure an
"adequate level" of data protection, which is a prerequisite to
lawfully export personal data from the EU.
Data Importers established in the United States can join
the Safe Harbor Program.
Organizations that decide to participate must comply with certain Safe Harbor
Principles and publicly declare to do so in a self-certification procedure. The
participating organization is then considered to ensure an adequate level of
data protection. Safe Harbor certified organizations become subject to the
supervision of the US Federal Trade Commission which is often a reason for
companies to abstain from a participation.
Another instrument to ensure an adequate level of data protection are Binding
Corporate Rules (BCR). BCR are a kind of group-wide company privacy
policy that must fulfill a couple of requirements set forth by the EU
Commission. The BCR must be shown to have legally binding effect both
internally between the group companies, employees and subcontractors and
externally for the benefit of individuals. All companies belonging to the group
are then considered to ensure an adequate level of data protection.
Accordingly, BCR only apply to intra-group data transfers, but not to transfers
to entities outside the group. Also, despite of some simplifications in the
close past, the implementation of BCR is still a time consuming task causing
considerable administrative burden.
4. Important Compliance Requirement to EU Companies
Ensuring an adequate level of data protection is an essential compliance
requirement for companies in the EU. For example, in Germany, failure to comply
with this requirement can result in administrative fines of up to
300,000 Euro. Also, under German law, most companies are obliged to
appoint an in-house data protection officer who directly reports to the
management and is in charge of the company's compliance with data protection
requirements. Data protection officers will not accept an agreement with a data
processor outside the EU, if an adequate level of data protection has not been
Standard contractual clauses should not be considered as a mere
"formality". The parties must be aware that the clauses contain a
couple of serious provisions on liability and third party beneficiary rights.
In addition, the underlying service contract should be reviewed in light of the
accompanying standard contractual clauses. For example, clauses on
subcontracting or liability limitations in the service contract could be
construed as an amendment to the standard contractual clauses that destroy
Companies outside the EU targeting customers in Europe should be
familiar with the EU data export regulations and the concept of standard
contractual clauses. From a compliance and marketing perspective it is
advisable to have available standard terms and conditions that already take
into account the EU requirements. This demonstrates to prospects that the
provider is taking serious data protection and willing to co-operate in
B. What are the Changes to the Standard Contractual
The major change in the new standard contractual clauses for
controller-processor transfers (Clauses) is that they now allow Data
Importers outside the EU to "subcontract" the data processing fully
or in parts to third-parties (Sub-Processors). The term subcontracting
is understood broad: Whenever a third party has access to the data it
can be a Sub-Processor. The old clauses did not explicitly allow
sub-processing although subcontracting and outsourcing is reality in a global
IT landscape for quite a time.
Example "CRM": CRM-Ready Inc., our US-based
company providing a CRM software to its customer in Germany via the internet
uses a third party vendor to administer and maintain databases. Also, servers
are co-located in a data center that offers immediate exchange of defective
hardware. Both, the company providing database administrations and hardware
exchange services are Sub-Processors of CRM-Ready Inc..
Example "HR-Data": Global Workers Ltd., our
multi-national company headquartered in Japan, uses a third party Enterprise
Resource Planning (ERP) software that stores names, functions and
qualifications of all employees, including those employed with EU subsidiaries.
If the ERP software provider can access the data (e.g. in the course of
maintenance services) it is considered a Sub-Processor of Global Workers Ltd
under EU law.
The new set of standard contractual clauses provides for in clause 11 that
the Data Importer may subcontract the data processing if two conditions are
Consent: The Data Exporter has given
prior written consent to the subcontracting.
Imposition of Terms: The Data Importer
imposes on the Sub-Processor by written agreement the same obligations as are
imposed on the Data Importer under the standard contractual clauses.
Another change in the standard contractual clauses is that the new terms
have no arbitration clause. In the old version, the Data Importer had to agree
that certain disputes with data subjects were permitted to be resolved by
arbitration, this option has been deleted.
C. How Does the New Subcontracting Scheme Work in
Data Importers outside the EU that have entered into the new standard
contractual clauses must ensure that the two requirements, consent and
imposition of terms, are fulfilled with regard to any Sub-Processor that gets access
to the personal data.
Consent to sub-contracting should be given in a document separated from the
agreement that contains the standard contractual clauses, so that changes in
the list of Sub-Processors do not affect the agreement which might have been
notified or approved by local data protection authorities.
Usually, the Data Exporters will consent to the subcontracting of certain
data processing tasks (e.g. server maintenance, data storage, database
administration) to a Sub-Processor that is identified by company name and
address. However, to achieve more flexibility and to avoid asking for new
consents whenever a Sub-Processor changes or is added, Data Importers may wish
to obtain a broader consent, e.g. to subcontract to any
If Data Exporters are concerned about the lawfulness of such general
consents under the standard contractual clauses, it can be argued that the
level of data protection is not negatively affected because the Data Importer
has to impose the terms of the standard contractual clauses to each
Sub-Processor. In addition, the Data Importer will be informed by the Data
Exporter about any Sub-Processor according to clause 5 lit. (j) of the Clauses.
By this, it is ensured that the Data Exporter has full knowledge about any
company receiving the data, even if a broad consent for sub-processing is
Alternatively, the parties could agree that the Data Importer shall notify
the Data Exporter about his intent to use a certain Sub-Processor and that the consent
of the Data Exporter shall be deemed given if the Data
Exporter does not object within a agreed period of time.
2. Imposition of Terms
As to the second requirement for sub-processing - the imposition of the
standard contractual clauses on the Sub-Processor - a footnote in the EU
Commission's decision explains that this may be satisfied by the Sub-Processor
co-signing the contract entered into between the Data Exporter and Data
Importer. While this appears to be a practical and simple procedure at first glace,
the co-signature has a couple of disadvantages:
First, if the Sub-Contractor simply co-signs the agreement between the Data
Exporter and the Data Importer, it remains unclear to which extent the Annexes
shall apply to the Sub-Processor. The Annexes contain specific information
about the transferred data, the processing purposes and means and the security
measures to be taken by the Data Importer. In many cases, the Data Importer
does not subcontract the entire data processing but only parts of it. In such
cases the provisions in the Annexes are likely inappropriate for the
relationship between the Data Importer and the Sub-Processor.
Second, the co-signature of contracts with standard contractual clauses can
be a burdensome task for Sub-Processors. In our example of CRM-Ready Inc.
providing a CRM-Software as a Service, the Sub-Processors had to sign each
single contract of CRM-Ready Inc. with customers in the EU. If the
Sub-Processors are using Sub-Processors themselves - a mechanism that the EU
Directive expressly allows - those Sub-Sub-Processors had to co-sign the
agreements as well; the list of co-signatures would soon exceed the actual
terms. In addition, CRM-Ready Inc. would disclose to its Sub-Processors the
existence of business relationships with its EU customers.
Third, the co-signature makes it more difficult for the Sub-Processor to
understand its legal obligations and the impact of the clauses, since it has to
pick out of the standard contractual clauses the provisions relevant to
Fourth, a co-signature could be construed in a way that the Sub-Processor is
not only obliged vis-à-vis his contractual partner, the Data Importer, but also
directly vis-à-vis the Data Exporter with whom he has no business relationship.
For these reasons it appears preferable for the Data Importer and
Sub-Processor to enter into a separate agreement that impose the
relevant terms on the Sub-Processor (to obtain a checklist for such agreement, please contact me).
Such an agreement can be tailored to the underlying service agreement between
the Data Importer and Sub-Processor. Since the Data Importer is obliged to
provide the sub-processing agreement to the Data Exporter (clause 5 lit (j) of
the Clauses) and upon request partly to data subjects (clause 5 lit (g) of the
Clauses), the agreement should be formally separated from the underlying
service contract to avoid disclosure of commercial terms.
To ease the administrative burden of providing sub-processing agreements to
the Data Exporter, the Data Importer and Data Exporter can agree on an
simplified mechanism: The Data Exporter could make available electronic copies
of sub-processing agreements online on a secured server and notify the Data
Exporter regularly on changes. This mechanism would also support the Data
Importer in fulfilling its obligation under the Clauses to keep an annually
updated list of sub-processing agreements (clause 11 para. (4) of the Clauses).
D. When Do the New Clauses Take Effect and Which
Existing Agreements Need to be Updated?
The decision of the EU commission updating the set of standard contractual
clauses for controller-processor transfers applies from 15 May 2010. The old
version of the clauses is repealed with effect from the same date.
Agreements that are entered into after 15 May 2010 must accordingly
use the new clauses. In contrast to the two sets of standard
contractual clauses for controller-controller transfers, there is no right of
For agreements that have been concluded prior to 15 May 2010
with the old version of the standard contractual clauses, the EU Commission
decision contains a transitional rule: Old agreements remain
in force and effect if and as long as two requirements are met:
- The data transfer and processing operations that are
subject matter of the contract remain unchanged, and
- Personal data continues to be transferred to the Data
In addition to this rule, if the Data Importer decides to subcontract parts
of the data processing, the new set of clauses must be used. This, of course,
also applies if the Data Importer is already using subcontractors for the data
Example "Changed Data Processing": Under an
agreement that has been entered into prior to 15 May 2010 with the old set of
- new types of data are transferred (in addition to
customer data, the Data Importer also receives vendor data)
- additional data fields are transferred (in addition to
names and contact details of employees information on qualifications are
- data is used for other or further purposes (e.g.
instead of a mere customer data management the Data Importer is supposed
to analyze customer data and create customer profiles)
Example "Discontinued Data Processing": The
parties have entered into a framework agreement under which individual orders
are made, e.g. batches of address data are transferred and then used by the
Data Importer for mailings or surveys. Since there is no continuous data
transfer, the parties have to use new clauses for orders made after 15 May
E. How Do the New Clauses Affect Companies Outside the
1. Data Importers
Organizations outside the EU receiving personal data from companies in the
EU are required to ensure an adequate level of data protection. Often this is
facilitated by the conclusion of standard contractual clauses. Companies who
have entered into such agreements based on the old set of standard contractual
clauses may need to update the agreements and switch to the new clauses
if the data processing is discontinued or changes after 15 May 2010 or data is
made available by the Data Importer to Sub-Processors.
Data Importers who use Sub-Processors have to ensure that this happens in
line with the subcontracting scheme of the Clauses, i.e. the
Data Exporter must have consented and the terms of the standard contractual
clauses must be imposed on the Sub-Processor.
In addition, Data Importers using Sub-Processors under the standard
contractual clauses should be aware that they are responsible for the
data processing of the Sub-Processor vis-à-vis the Data Exporter
(clause 5 lit. (i)) and the data subjects (clause 11 para. (1) sentence 3) and
have to send a copy of any agreement with a Sub-Processor to the Data Exporter
(clause 5 (j)).
2. Effect on Sub-Processors
With the introduction of the new set of standard contractual clauses more
and more Data Importers will approach their Sub-Processors in order to ensure
compliance with the subcontracting mechanism of the Clauses. In
particular, Sub-Processors will be asked to contractually agree on the terms of
the standard contractual clauses. For the reasons stated above, it should be
considered to make a separate agreement with the Data Importer for this purpose
rather than co-signing the standard contractual clauses entered into between
the Data Exporter and the Data Importer.
In addition, Sub-Processors should take into consideration the following
implications of the standard contractual clauses:
Sub-Processors have to agree to third-party beneficiary rights
for cases where the data subject is not able to bring compensation claims
against the Data Importer for damages caused by data breaches of the
Sub-Processor (clauses 11 para. 2, clause 6 para. (1) of the Clauses).
If the Sub-Processor itself is making available personal data to other
companies, it must obtain the consent from the Data Importer
and impose the terms of the standard contractual clauses on the data
recipient. The Sub-Processor becomes responsible for the Data
Processing by its own sub-contractors and must send a copy of the
Sub-Processing-Agreement to the Data Importer.
According to clause 8 (2), the Sub-Processor has to agree that the
supervisory authority of the country where the Data Exporter is located has the
right to conduct audits at the Sub-Processor. These audits are
subject to the conditions that would apply to an audit of the Data Exporter
under the Data Exporter's local law.
On the termination of the Sub-Processing agreement, the Sub-Processor has to
return and destroy all data received from the Data Exporter.
This must be certified to the Data Exporter (clause 12 para. (1)).
If you have questions around the new EU model clauses, EU data protection
regulations in general or its contractual implications, please contact us.
We will also be happy to send you our free checklist for a
Sub-Processing agreement that complies with the new EU rules.
About the author: Dr. Thomas Helbing
is a Germany based IT and Privacy Lawyer. Contact: firstname.lastname@example.org or
+49 89 39 29 70 07, Web: http://www.thomashelbing.com/en