Safe Harbor - Model Contract Clauses for EU - US data export and processing | DMA

Filter By

Show All

Connect to


Safe Harbor - Model Contract Clauses for EU - US data export and processing

I'm already starting to see "model clause" addendums coming out to allow EU companies to continue to use US-based partners, CRM solutions and other data services.
The standard model clauses which I have seen place the onus of responsibility, and liability, on the exporter (i.e. you) to make it easier for the data subject to obtain redress should there be a data breach or a misuse of the data.

If you want to sign a model contract like this with a US-based partner or supplier you should probably take legal advice first.

At the very least you must understand the liability you are accepting and as such you must perform a data protection audit which documents the types of data being exported, what processing is to be carried out, the information security processes of the partner and a full list of the partners which they use for sub-contracting data processing or storage.

This should also be carried out for EU-based cloud providers who transfer backups, login details, support details, etc outside of the EU.

Read this for the ICO's current guidance:

Hear more from the DMA

Please login to comment.


And to follow on from this, now my own EU cloud provider has just emailed me to say that they transfer data to the US, so I need to sign a new contract absolving them of any blame should they or their partners cause a data breach!