DWF logo

Search

DWF logo

            Restricted transfers and Model Clauses

            Does your organisation transfer personal data outside of the European Economic Area (EEA) by using the Model Clauses?

            Date: 25/06/2019

            An overview

            Chapter V of the General Data Protection Regulation ("GDPR") restricts transfers of personal data outside the EEA unless the country to which the personal data is being transferred to has an EC adequacy decision or appropriate safeguards are taken.
            Appropriate safeguards are listed in the GDPR and are intended to ensure that the same level of protection for data subjects' rights and freedoms is maintained whenever personal data is transferred.

            The standard contractual clauses adopted by the European Commission ("EC"), also known as the Model Clauses, are one of the appropriate safeguards listed in the GDPR and are probably the most used option. The Model Clauses are drafted on the basis that they be entered into by the data exporter based in the EEA and the data importer based outside the EEA.  They contain contractual obligations for the data exporter and data importer, and guarantee rights for data subjects whose personal data is transferred.  The Model Clauses need to be used in their entirety and cannot be amended, although clauses on commercial issues can be added as long as such additions do not contradict the Model Clauses.

            The EC adopted four sets of Model Clauses under Directive 95/46/EC, the predecessor of the GDPR.  These comprise of two sets for restricted transfers between a controller and controller, and two sets for restricted transfers between a controller and processor.  Please note that the earlier set of controller/processor clauses is no longer used for new contracts; these are only valid for contracts entered into prior to 2010.  When making a restricted controller to controller transfer either set of (controller to controller) Model Clauses can be used depending on which one suits the commercial arrangement best.

            As set out above, the current Model Clauses only address restricted transfers relating to controller to controller or controller to processor arrangements, and mainly focus on transfers from controllers based in the EEA.  The Model Clauses cannot be used when personal data is transferred from a controller based in the EEA to a processor based in the EEA and then to a subprocessor based outside the EEA.  The Article 29 Working Party (predecessor of the European Data Protection Board) however identified 3 different possibilities that could provide a legal framework for a transfer from a processor based in the EEA to a subprocessor based outside the EEA:

            direct contracts between controllers based in the EEA and processors based outside the EEA;
            including a clear contractual mandate from controllers based in the EEA to processors outside the EEA to use Model Clauses in their name and on their behalf; and
            ad-hoc contracts authorised by the relevant data protection authority (such as the ICO in the UK).

            Please note that in the event of a no-deal Brexit, for data protection purposes, the UK would become a third country.  Considering the applicability of the currently available Model Clauses, a no-deal Brexit creates challenges for organisations transferring personal data to and from the EEA.  For example, UK (third country) controllers transferring personal data to the EEA would not be able to rely on the Model Clauses and UK (third country) subprocessors are not covered by the current Model Clauses.  In reality, only UK processors and UK controllers that receive personal data from controllers based in the EEA would still be able to operate under the current Model Clauses.  Considering that the Model Clauses might not be appropriate in all situations, we recommend reviewing your current and future data transfer arrangements and to verify what appropriate safeguarding measures to use.

            We know that the EC plans to update the existing Model Clauses for the GDPR.  Until that happens, the Directive-based Model Clauses can still be used when appropriate.  Existing contracts incorporating the Model Clauses can continue to be used even after the EC has adopted GDPR Model Clauses.  A different set of Model Clauses addressing the vacuum of transfers between processors based in the EEA and subprocessors based outside the EEA were drafted in 2014.  These draft Model Clauses were however not formally adopted by the EC and therefore they cannot be recognised as an appropriate safeguard at this stage, despite the clear need for such Model Clauses addressing the processor/subprocessor situation and current political developments.

            How we can help

            We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits). 

            Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.

            Find out more here

            Related people

            Nicole van Leenen

            • Data Protection & Privacy Specialist

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies

            (Required)

            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.