by Dr. Thomas Helbing
On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.
Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.
The EU Commission decision is relevant for all organization receiving personal data - for example customer or employee data - from subsidiaries, customers or vendors in the EU.
In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.
In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.
UPDATE: In July 2010, the Article 29 Working Party has published a FAQ-Document clarifying certain questions in relation to the use of the new clauses.