Under the EU’s Data Protection Directive, personal data cannot be transferred out of the European Economic Area unless there is adequate protection of the data. One way of ensuring adequate protection is to conduct an individual assessment of the way the particular data will be protected in the destination country. Another possibility is if the destination country has been approved as having adequate data protection laws, but only a few have been approved so far – Argentina, Canada, Guernsey, Isle of Man, Jersey and Switzerland, plus entities in the US that comply with certain rules called the ‘Safe Harbor’ rules. A more common way of ensuring adequate protection is by entering into contracts with the organisations in the destination country on terms approved or designated by the European Commission.
The Commission has just updated the rules and data export contract terms that apply when a European data controller transfers data to a data processor that is not based in the EEA. A ‘data controller’ is someone who decides and controls what happens to personal data, and a ‘data processor’ is someone who processes personal data on behalf of a data controller but does not take decisions in relation to the personal data and is not ultimately responsible for that data. The new rules allow for the data processor to sub-contract the processing of the data to sub-processors under certain conditions, including by obtaining the prior written consent of the data controller that is exporting the data out of the EEA. The development is aimed at keeping pace with the way business is done, and in particular different levels of outsourcing in a chain.
Separate contract terms continue to exist in relation to transfers of data from data controllers within the EEA to data controllers outside of the EEA. They are unaffected by the updated contract terms in data controller to data processor situations.