32002D0016

Commission Decision

of 27 December 2001

on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC

(notified under document number C(2001) 4540)

(Text with EEA relevance)

(2002/16/EC)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 26(4) thereof,

Whereas:

(1) Pursuant to Directive 95/46/EC Member States are required to provide that a transfer of personal data to a third country may only take place if the third country in question ensures an adequate level of data protection and the Member States' laws, which comply with the other provisions of the Directive, are respected prior to the transfer.

(2) However, Article 26(2) of Directive 95/46/EC provides that Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding the data transfer operation or set of data transfer operations. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under that Directive(2) has issued guidelines to aid with the assessment(3).

(4) The standard contractual clauses relate only to data protection. The data exporter and the data importer are free to include any other clauses on business related issues which they consider as being pertinent for the contract as long as they do not contradict the standard contractual clauses.

(5) This Decision should be without prejudice to national authorisations Member States may grant in accordance with national provisions implementing Article 26(2) of Directive 95/46/EC. This Decision only has the effect of requiring the Member States not to refuse to recognise as providing adequate safeguards the contractual clauses set out in it and does not therefore have any effect on other contractual clauses.

(6) The scope of this Decision is limited to establishing that the clauses which it sets out may be used by a data controller established in the Community in order to adduce adequate safeguards within the meaning of Article 26(2) of Directive 95/46/EC for the transfer of personal data to a processor established in a third country.

(7) This Decision should implement the obligation provided for in Article 17(3) of Directive 95/46/EC and does not prejudice the content of the contracts or legal acts established pursuant to that provision. However, some of the standard contractual clauses, in particular as regards the data exporter's obligations, should be included in order to increase clarity as to the provisions which may be contained in a contract between a controller and a processor.

(8) Supervisory authorities of the Member States play a key role in this contractual mechanism in ensuring that personal data are adequately protected after the transfer. In exceptional cases where data exporters refuse or are unable to instruct the data importer properly, with an imminent risk of grave harm to the data subjects, the standard contractual clauses should allow the supervisory authorities to audit data importers and, where appropriate, take decisions which are binding on data importers. The supervisory authorities should have the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject.

(9) The Commission may also consider in the future whether standard contractual clauses for the transfer of personal data to data processors established in third countries not offering an adequate level of data protection, submitted by business organisations or other interested parties, offer adequate safeguards in accordance with Article 26(2) of Directive 95/46/EC.

(10) A disclosure of personal data to a data processor established outside the Community is an international transfer protected under Chapter IV of Directive 95/46/EC. Consequently, this Decision does not cover the transfer of personal data by controllers established in the Community to controllers established outside the Community who fall within the scope of Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC(4).

(11) The standard contractual clauses should provide for the technical and organisational security measures ensuring a level of security appropriate to the risks represented by the processing and the nature of the data to be protected that a data processor established in a third country not providing adequate protection must apply. Parties should make provision in the contract for those technical and organisational measures which, having regard to applicable data protection law, the state of the art and the cost of their implementation, are necessary in order to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access or any other unlawful forms of processing.

(12) In order to facilitate data flows from the Community, it is desirable that processors providing data processing services to several data controllers in the Community be allowed to apply the same technical and organisational security measures irrespective of the Member State from which the data transfer originates, in particular in those cases where the data importer receives data for further processing from different establishments of the data exporter in the Community, in which case the law of the designated Member State of establishment should apply.

(13) It is appropriate to lay down the minimum information that the parties must specify in the contract dealing with the transfer. Member States should retain the power to particularise the information the parties are required to provide. The operation of this Decision should be reviewed in the light of experience.

(14) The data importer should process the transferred personal data only on behalf of the data exporter and in accordance with his instructions and the obligations contained in the clauses. In particular the data importer should not disclose the personal data to a third party unless in accordance with certain conditions. The data exporter should instruct the data importer throughout the duration of the data processing Services to process the data in accordance with his instructions, the applicable data protection laws and the obligations contained in the clauses. The transfer of personal data to processors established outside the Community does not prejudice the fact that the processing activities should be governed in any case by the applicable data protection law.

(15) The standard contractual clauses should be enforceable not only by the organisations which are parties to the contract, but also by the data subjects, in particular where the data subjects suffer damage as a consequence of a breach of the contract.

(16) The data subject should be entitled to take action and, where appropriate, receive compensation from the data exporter who is the data controller of the personal data transferred. Exceptionally, the data subject should also be entitled to take action, and, where appropriate, receive compensation from the data importer in those cases, arising out of a breach by the data importer of any of his obligations referred to in the second paragraph of clause 3, where the data exporter has factually disappeared or has ceased to exist in law or has become insolvent.

(17) In the event of a dispute between a data subject, who invokes the third-party beneficiary clause and the data importer, which is not amicably resolved, the data importer should agree to provide the data subject with the choice between mediation, arbitration or litigation. The extent to which the data subject will have an effective choice should depend on the availability of reliable and recognised systems of mediation and arbitration. Mediation by the data protection supervisory authorities of the Member State in which the data exporter is established should be an option where they provide such a service.

(18) The contract should be governed by the law of the Member State in which the data exporter is established enabling a third-party beneficiary to enforce a contract. Data subjects should be allowed to be represented by associations or other bodies if they so wish and if authorised by national law.

(19) The Working Party on the Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion on the level of protection provided under the standard contractual clauses annexed to this Decision, which has been taken into account in the preparation of this Decision(5).

(20) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC,

HAS ADOPTED THIS DECISION:

Article 1

The standard contractual clauses set out in the Annex are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Article 26(2) of Directive 95/46/EC.

Article 2

This Decision concerns only the adequacy of protection provided by the standard contractual clauses set out in the Annex for the transfer of personal data to processors. It does not affect the application of other national provisions implementing Directive 95/46/EC that pertain to the processing of personal data within the Member States.

This Decision shall apply to the transfer of personal data by controllers established in the Community to recipients established outside the territory of the Community who act only as processors.

Article 3

For the purposes of this Decision:

(a) the definitions in Directive 95/46/EC shall apply;

(b) "special categories of data" means the data referred to in Article 8 of that Directive;

(c) "supervisory authority" means the authority referred to in Article 28 of that Directive;

(d) "data exporter" means the controller who transfers the personal data;

(e) "data importer" means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter's behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country's system ensuring adequate protection;

(f) "applicable data protection law" means the legislation protecting the fundamental rights and freedoms of natural persons and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(g) "technical and organisational security measures" means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Article 4

1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to Chapters II, III, V and VI of Directive 95/46/EC, the competent authorities in the Member States may exercise their existing powers to prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data in cases where:

(a) it is established that the law to which the data importer is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses; or

(b) a competent authority has established that the data importer has not respected the contractual clauses in the Annex; or

(c) there is a substantial likelihood that the standard contractual clauses in the Annex are not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects.

2. The prohibition or suspension pursuant to paragraph 1 shall be lifted as soon as the reasons for the suspension or prohibition no longer exist.

3. When Member States adopt measures pursuant to paragraphs 1 and 2, they shall, without delay, inform the Commission which will forward the information to the other Member States.

Article 5

The Commission shall evaluate the operation of this Decision on the basis of available information three years after its notification to the Member States. It shall submit a report on the findings to the Committee established under Article 31 of Directive 95/46/EC. It shall include any evidence that could affect the evaluation concerning the adequacy of the standard contractual clauses in the Annex and any evidence that this Decision is being applied in a discriminatory way.

Article 6

This Decision shall apply from 3 April 2002.

Article 7

This Decision is addressed to the Member States.

Done at Brussels, 27 December 2001.

For the Commission

Frederik Bolkestein

Member of the Commission

(1) OJ L 281, 23.11.1995, p. 31.

(2) The web address of the Working Party is:

http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/index.htm.

(3) WP 4 (5020/97): "First orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy", a discussion document adopted by the Working Party on 26 June 1997.

WP 7 (5057/97): Working document: "Judging industry self-regulation: when does it make a meaningful contribution to the level of data protection in a third country?", adopted by the Working Party on 14 January 1998.

WP 9 (5005/98): Working Document: "Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries", adopted by the Working Party on 22 April 1998.

WP 12: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, adopted by the Working Party on 24 July 1998, available on the website

"http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp12en.htm" hosted by the European Commission.

(4) OJ L 181, 4.7.2001, p. 19.

(5) Opinion No 7/2001 adopted by the Working Party on 13 September 2001 (DG MARKT....), available on the website "Europa" hosted by the European Commission.

ANNEX

>PIC FILE= "L_2002006EN.005702.TIF">

>PIC FILE= "L_2002006EN.005801.TIF">

>PIC FILE= "L_2002006EN.005901.TIF">

>PIC FILE= "L_2002006EN.006001.TIF">

Appendix 1

>PIC FILE= "L_2002006EN.006102.TIF">

Appendix 2

>PIC FILE= "L_2002006EN.006202.TIF">