How the New EU Rules on Data Export Affect Companies in and Outside the EU

Photo by Juliana Kozoski on Unsplash
Dr. Thomas Helbing

On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.

Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.

The EU Commission decision is relevant for all organization receiving personal data - for example customer or employee data - from subsidiaries, customers or vendors in the EU.

In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.

In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.

UPDATE: In July 2010, the Article 29 Working Party has published a FAQ-Document clarifying certain questions in relation to the use of the new clauses.

Example "CRM": CRM-Ready Inc. is a US-based company providing a Customer Relationship Management software that clients use remotely via a web browser (Software as a Service - SaaS). Best-Resell GmbH in the EU intends to use CRM-Ready's system to store and manage its customer data. CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU standard contractual clauses to ensure Best-Resell's compliance with local privacy laws.

Example "HR-Data": Global Workers Ltd. is a multi-national company headquartered in Japan with subsidiaries in various EU countries. Names, functions and phone numbers of all employees are stored centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU subsidiaries and Global Workers Ltd. agree on the EU standard contractual clauses to ensure the lawfulness of the intra-group data transfers under EU laws.

In this article we answer the following questions:• What is the Concept behind Standard Contractual Clauses? • What are the Changes to the Standard Contractual Clauses? • How Does the New Subcontracting Scheme of the Clauses Work in Practice? • When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated? • How Do the Clauses Affect Companies Outside the EU?


A. What is the Concept behing Standard Contractual Clauses?

If you are familiar with the concept of standard contractual clauses you can skip this section.

1. Ensuring an "Adequate Level of Data Protection"

A company established in the EU may transfer or make accessible personal data to a company outside the EU only if an "adequate level" of data protection is ensured at the recipient. In the terminology of the EU Data Protection Directive 95/46/EC (Directive) the company in EU is then referred to as "Data Exporter", the company receiving the Personal Data as "Data Importer".

The requirement of an adequate level of data protection also applies to intra-group transfers, i.e. if the Data Exporter and Data Importer belong to the same group of companies. A data transfer in the meaning of the EU Directive also takes place if the Data Importer has access to personal data of entities established in the EU, for example access to servers controlled by EU subsidiaries. Further, the term "Personal Data" is understood very broad and includes any information on individuals, e.g. business contact details, employee telephone directories or customer lists.

If the Data Exporter and Data Importer enter into a contract that include the EU standard contractual clauses, the Data Importer is considered to provide an adequate level of data protection. The standard contractual clauses set forth rights and obligations in relation to the handling of personal data. They may not be altered but accompanied by commercial terms (e.g. an underlying service agreement). There are two annexes to the standard contractual clauses to be completed by the parties. They contain details on the parties, the transferred data, the data processing and the technical and organizational security measures to be implemented by the Data Importer.

The obligation to ensure an adequate level of data protection is laid down in article 25 para. 1 of the Directive. The Directive is not addressed to individuals or entities but obliges the EU member states to adopt respective national legislation.

While the wording of the standard contractual clauses are the same throughout the EU, member states have taken different approaches as to the formal requirements: In some EU jurisdictions it suffices to merely enter into a contract with the standard contractual clauses, others require the use of the clauses to be notified to their national data protection authority (DPA) or even to be approval by the authority in advance. Also, local law requirements in relation to the security requirements to be implemented by data processor vary considerably.

For the following jurisdictions the EU Commission has determined that they already ensure an "adequate level" of data protection, so that Data Importers in these countries do not need to enter into respective agreements: Switzerland, Canada, Argentina, Guernsey, the Isle of Man and Jersey.

2. Controllers-Controller and Controller-Processor Transfers

The EU Commission has adopted four different sets of standard contractual clauses. To select the right set, the role of the Data Importer must be analyzed: Data Importers can act as "Data Controllers" or "Data Processors".

The Data Importer takes the role of a Data Processor if it processes and uses the data solely on behalf of and in accordance with the instructions of the Data Exporter. Providers of Cloud Computing or Software as a Service (SaaS) models are usually Data Processors. In contrast, if the Data Importer has the power to determine for which purposes it uses the data or to decide on the substantial means of the data processing (e.g. length of storage or access rights by third parties), then the Data Importer is considered to be a Data Controller.

The distinction between Data Controllers and Data Processors can be difficult and must be made in consideration of the specific factual circumstances of each case. It is even possible that the Data Importer acts as Data Processor in relation to certain information and as a Data Controller in relation to other. The Article 29 Working Party, an independent advisory body on data protection matters at the EU level, has published an opinion on the concept of controllers and processors in February 2010.

If the Data Importer is a Data Controller, one of the two sets for controller-controller transfers must be used. The two sets for controller-controller transfers are alternatively, companies can choose which set of clauses they prefer.

If the Data Importer is a Data Processor, the controller-processor clauses are the right instrument. For controller-processor relationships there is no right to choose between two sets. On 5 February 2010 the EU Commission has adopted a decision that updates the old clauses with effect as of 15 May 2010 (for transition rules, please see below).

3. Alternatives To Standard Contractual Clauses

Standard contractual clauses are one of several means to ensure an "adequate level" of data protection, which is a prerequisite to lawfully export personal data from the EU.

Data Importers established in the United States can join the Safe Harbor Program. Organizations that decide to participate must comply with certain Safe Harbor Principles and publicly declare to do so in a self-certification procedure. The participating organization is then considered to ensure an adequate level of data protection. Safe Harbor certified organizations become subject to the supervision of the US Federal Trade Commission which is often a reason for companies to abstain from a participation.

Another instrument to ensure an adequate level of data protection are Binding Corporate Rules (BCR). BCR are a kind of group-wide company privacy policy that must fulfill a couple of requirements set forth by the EU Commission. The BCR must be shown to have legally binding effect both internally between the group companies, employees and subcontractors and externally for the benefit of individuals. All companies belonging to the group are then considered to ensure an adequate level of data protection. Accordingly, BCR only apply to intra-group data transfers, but not to transfers to entities outside the group. Also, despite of some simplifications in the close past, the implementation of BCR is still a time consuming task causing considerable administrative burden.

4. Important Compliance Requirement to EU Companies

Ensuring an adequate level of data protection is an essential compliance requirement for companies in the EU. For example, in Germany, failure to comply with this requirement can result in administrative fines of up to 300,000 Euro. Also, under German law, most companies are obliged to appoint an in-house data protection officer who directly reports to the management and is in charge of the company's compliance with data protection requirements. Data protection officers will not accept an agreement with a data processor outside the EU, if an adequate level of data protection has not been ensured.

Standard contractual clauses should not be considered as a mere "formality". The parties must be aware that the clauses contain a couple of serious provisions on liability and third party beneficiary rights. In addition, the underlying service contract should be reviewed in light of the accompanying standard contractual clauses. For example, clauses on subcontracting or liability limitations in the service contract could be construed as an amendment to the standard contractual clauses that destroy their effect.

Companies outside the EU targeting customers in Europe should be familiar with the EU data export regulations and the concept of standard contractual clauses. From a compliance and marketing perspective it is advisable to have available standard terms and conditions that already take into account the EU requirements. This demonstrates to prospects that the provider is taking serious data protection and willing to co-operate in fulfilling them.


B. What are the changes to the Standard Contractual Clauses?

The major change in the new standard contractual clauses for controller-processor transfers (Clauses) is that they now allow Data Importers outside the EU to "subcontract" the data processing fully or in parts to third-parties (Sub-Processors). The term subcontracting is understood broad: Whenever a third party has access to the data it can be a Sub-Processor. The old clauses did not explicitly allow sub-processing although subcontracting and outsourcing is reality in a global IT landscape for quite a time.

Example "CRM": CRM-Ready Inc., our US-based company providing a CRM software to its customer in Germany via the internet uses a third party vendor to administer and maintain databases. Also, servers are co-located in a data center that offers immediate exchange of defective hardware. Both, the company providing database administrations and hardware exchange services are Sub-Processors of CRM-Ready Inc..

Example "HR-Data": Global Workers Ltd., our multi-national company headquartered in Japan, uses a third party Enterprise Resource Planning (ERP) software that stores names, functions and qualifications of all employees, including those employed with EU subsidiaries. If the ERP software provider can access the data (e.g. in the course of maintenance services) it is considered a Sub-Processor of Global Workers Ltd under EU law.

The new set of standard contractual clauses provides for in clause 11 that the Data Importer may subcontract the data processing if two conditions are met: 1. Consent: The Data Exporter has given prior written consent to the subcontracting. 2. Imposition of Terms: The Data Importer imposes on the Sub-Processor by written agreement the same obligations as are imposed on the Data Importer under the standard contractual clauses.

Another change in the standard contractual clauses is that the new terms have no arbitration clause. In the old version, the Data Importer had to agree that certain disputes with data subjects were permitted to be resolved by arbitration, this option has been deleted.


C. How Does the News Subcontracting Scheme Work in Practice?

Data Importers outside the EU that have entered into the new standard contractual clauses must ensure that the two requirements, consent and imposition of terms, are fulfilled with regard to any Sub-Processor that gets access to the personal data.

1. Consent

Consent to sub-contracting should be given in a document separated from the agreement that contains the standard contractual clauses, so that changes in the list of Sub-Processors do not affect the agreement which might have been notified or approved by local data protection authorities.

Usually, the Data Exporters will consent to the subcontracting of certain data processing tasks (e.g. server maintenance, data storage, database administration) to a Sub-Processor that is identified by company name and address. However, to achieve more flexibility and to avoid asking for new consents whenever a Sub-Processor changes or is added, Data Importers may wish to obtain a broader consent, e.g. to subcontract to any affiliated company.

If Data Exporters are concerned about the lawfulness of such general consents under the standard contractual clauses, it can be argued that the level of data protection is not negatively affected because the Data Importer has to impose the terms of the standard contractual clauses to each Sub-Processor. In addition, the Data Importer will be informed by the Data Exporter about any Sub-Processor according to clause 5 lit. (j) of the Clauses. By this, it is ensured that the Data Exporter has full knowledge about any company receiving the data, even if a broad consent for sub-processing is given.

Alternatively, the parties could agree that the Data Importer shall notify the Data Exporter about his intent to use a certain Sub-Processor and that the consent of the Data Exporter shall be deemed given if the Data Exporter does not object within a agreed period of time.

2. Imposition of Terms

As to the second requirement for sub-processing - the imposition of the standard contractual clauses on the Sub-Processor - a footnote in the EU Commission's decision explains that this may be satisfied by the Sub-Processor co-signing the contract entered into between the Data Exporter and Data Importer. While this appears to be a practical and simple procedure at first glace, the co-signature has a couple of disadvantages:

First, if the Sub-Contractor simply co-signs the agreement between the Data Exporter and the Data Importer, it remains unclear to which extent the Annexes shall apply to the Sub-Processor. The Annexes contain specific information about the transferred data, the processing purposes and means and the security measures to be taken by the Data Importer. In many cases, the Data Importer does not subcontract the entire data processing but only parts of it. In such cases the provisions in the Annexes are likely inappropriate for the relationship between the Data Importer and the Sub-Processor.

Second, the co-signature of contracts with standard contractual clauses can be a burdensome task for Sub-Processors. In our example of CRM-Ready Inc. providing a CRM-Software as a Service, the Sub-Processors had to sign each single contract of CRM-Ready Inc. with customers in the EU. If the Sub-Processors are using Sub-Processors themselves - a mechanism that the EU Directive expressly allows - those Sub-Sub-Processors had to co-sign the agreements as well; the list of co-signatures would soon exceed the actual terms. In addition, CRM-Ready Inc. would disclose to its Sub-Processors the existence of business relationships with its EU customers.

Third, the co-signature makes it more difficult for the Sub-Processor to understand its legal obligations and the impact of the clauses, since it has to pick out of the standard contractual clauses the provisions relevant to Sub-Processors.

Fourth, a co-signature could be construed in a way that the Sub-Processor is not only obliged vis-à-vis his contractual partner, the Data Importer, but also directly vis-à-vis the Data Exporter with whom he has no business relationship.

For these reasons it appears preferable for the Data Importer and Sub-Processor to enter into a separate agreement that impose the relevant terms on the Sub-Processor (to obtain a checklist for such agreement, please contact me). Such an agreement can be tailored to the underlying service agreement between the Data Importer and Sub-Processor. Since the Data Importer is obliged to provide the sub-processing agreement to the Data Exporter (clause 5 lit (j) of the Clauses) and upon request partly to data subjects (clause 5 lit (g) of the Clauses), the agreement should be formally separated from the underlying service contract to avoid disclosure of commercial terms.

To ease the administrative burden of providing sub-processing agreements to the Data Exporter, the Data Importer and Data Exporter can agree on an simplified mechanism: The Data Exporter could make available electronic copies of sub-processing agreements online on a secured server and notify the Data Exporter regularly on changes. This mechanism would also support the Data Importer in fulfilling its obligation under the Clauses to keep an annually updated list of sub-processing agreements (clause 11 para. (4) of the Clauses).


D. When do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?

The decision of the EU commission updating the set of standard contractual clauses for controller-processor transfers applies from 15 May 2010. The old version of the clauses is repealed with effect from the same date.

Agreements that are entered into after 15 May 2010 must accordingly use the new clauses. In contrast to the two sets of standard contractual clauses for controller-controller transfers, there is no right of choice.

For agreements that have been concluded prior to 15 May 2010 with the old version of the standard contractual clauses, the EU Commission decision contains a transitional rule: Old agreements remain in force and effect if and as long as two requirements are met:

  1. The data transfer and processing operations that are subject matter of the contract remain unchanged, and
  2. Personal data continues to be transferred to the Data Importer.

In addition to this rule, if the Data Importer decides to subcontract parts of the data processing, the new set of clauses must be used. This, of course, also applies if the Data Importer is already using subcontractors for the data processing.

Example "Changed Data Processing": Under an agreement that has been entered into prior to 15 May 2010 with the old set of clauses * new types of data are transferred (in addition to customer data, the Data Importer also receives vendor data) * additional data fields are transferred (in addition to names and contact details of employees information on qualifications are transferred) * data is used for other or further purposes (e.g. instead of a mere customer data management the Data Importer is supposed to analyze customer data and create customer profiles)

Example "Discontinued Data Processing": The parties have entered into a framework agreement under which individual orders are made, e.g. batches of address data are transferred and then used by the Data Importer for mailings or surveys. Since there is no continuous data transfer, the parties have to use new clauses for orders made after 15 May 2010.


E. How do the New Clauses Affect Companies Outside the EU?

1. Data Importers

Organizations outside the EU receiving personal data from companies in the EU are required to ensure an adequate level of data protection. Often this is facilitated by the conclusion of standard contractual clauses. Companies who have entered into such agreements based on the old set of standard contractual clauses may need to update the agreements and switch to the new clausesif the data processing is discontinued or changes after 15 May 2010 or data is made available by the Data Importer to Sub-Processors.

Data Importers who use Sub-Processors have to ensure that this happens in line with the subcontracting scheme of the Clauses, i.e. the Data Exporter must have consented and the terms of the standard contractual clauses must be imposed on the Sub-Processor.

In addition, Data Importers using Sub-Processors under the standard contractual clauses should be aware that they are responsible for the data processing of the Sub-Processor vis-à-vis the Data Exporter (clause 5 lit. (i)) and the data subjects (clause 11 para. (1) sentence 3) and have to send a copy of any agreement with a Sub-Processor to the Data Exporter (clause 5 (j)).

2. Effect on Sub-Processors

With the introduction of the new set of standard contractual clauses more and more Data Importers will approach their Sub-Processors in order to ensure compliance with the subcontracting mechanism of the Clauses. In particular, Sub-Processors will be asked to contractually agree on the terms of the standard contractual clauses. For the reasons stated above, it should be considered to make a separate agreement with the Data Importer for this purpose rather than co-signing the standard contractual clauses entered into between the Data Exporter and the Data Importer.

In addition, Sub-Processors should take into consideration the following implications of the standard contractual clauses:

Sub-Processors have to agree to third-party beneficiary rights for cases where the data subject is not able to bring compensation claims against the Data Importer for damages caused by data breaches of the Sub-Processor (clauses 11 para. 2, clause 6 para. (1) of the Clauses).

If the Sub-Processor itself is making available personal data to other companies, it must obtain the consent from the Data Importer and impose the terms of the standard contractual clauses on the data recipient. The Sub-Processor becomes responsible for the Data Processing by its own sub-contractors and must send a copy of the Sub-Processing-Agreement to the Data Importer.

According to clause 8 (2), the Sub-Processor has to agree that the supervisory authority of the country where the Data Exporter is located has the right to conduct audits at the Sub-Processor. These audits are subject to the conditions that would apply to an audit of the Data Exporter under the Data Exporter's local law.

On the termination of the Sub-Processing agreement, the Sub-Processor has to return and destroy all data received from the Data Exporter. This must be certified to the Data Exporter (clause 12 para. (1)).

Processors Standard Data Protection Clauses International Data Transfer
Data Protection Law


Ratgeber, Muster und Checklisten