Safe Harbor: How to use Model Contract Clauses for EU - US data export and processing
15 Oct 2015
We have two scenarios when a EU-based company (from now termed ‘exporter’) uses a non-EU company (from now termed ‘importer’) for anything which results in personal information of individuals being transferred out of the EU for storage or processing.
The exporter is the decision-maker and the importer is providing a service at the request of, or to fulfil a contract with the exporter.
a. The exporter
i. classed as a Data Controller
ii. takes initial liability and it the first point of contact for queries and complaints
iii. must be able to show evidence that the data will be looked after, so must perform a suitable information security audit of the importer
iv. must identify the importer and the purpose of the data transfer and processing in its privacy notices
b. The importer
i. Classed as a Data Processor
ii. must be able to provide appropriate levels of data protection and security
iii. must have a named contact and a agree a process with the exporter for responding to queries
iv. is not absolved from liability, but is not the first point of contact for queries or complaints
c. contract clauses
i. Use: Commission Decision C(2010)593 Standard Contractual Clauses (processors)
ii. Link: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32010D0087
iii. What to do: Pick your language and format, fill in the relevant details about the companies and the data transfers, then get it signed
The exporter and importer both use the data for their own purposes
a. The exporter
i. classed as a Data Controller. There is joint liability, with liability following fault
ii. may be first point of contact for queries and complaints, but this depends on scenario of data use
iii. must take reasonable efforts to importer can meet Data Protection Directive standards (so will probably have to perform a suitable information security audit of the importer)
iv. must identify the importer and the purpose of the data transfer and processing in its privacy notices
b. The importer
i. classed as a Data Controller. There is joint liability, with liability following fault
ii. may be first point of contact for queries and complaints, but this depends on scenario of data use
iii. warrants full compliance with Data Protection Directive
iv. must have a named contact and a agree a process for responding to queries
c. contract clauses
i. Use: SET II Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)
ii. Link: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32004D0915
iii. What to do: Pick your language and format, fill in the relevant details about the companies and the data transfers, then get it signed
More background details from the ICO here: https://ico.org.uk/media/1571/model_contract_clauses_international_transfers_of_personal_data.pdf
Please login to comment.
Comments