Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 32010D0087

Transferring Personal Data to non-EU countries: Standard Contractual Clauses

Legal status of the document This summary has been archived and will not be updated, because the summarised document is no longer in force or does not reflect the current situation.

Date of last review:
07/10/2020
Initial creation date:
04/11/2020
Summarised document(s):
Author:
Publications Office of the European Union
Responsible entity(ies):
Council of the European Union
  • Archived: true

    • Transferring Personal Data to non-EU countries: Standard Contractual Clauses

     

    SUMMARY OF:

    Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC

    WHAT IS THE AIM OF THE DECISION?

    It lays down standard contractual clauses which can be used by data controllers* (exporters) in the EU that transfer personal data* to data processors* (importers) established outside the EU or EEA, to provide appropriate data protection safeguards and thereby comply with the requirements of EU data protection laws (the general data protection regulation — Regulation (EU) 2016/679 — see summary).

    KEY POINTS

    The standard contractual clauses are set out in the annex to the decision as follows. Standard contractual clauses only relate to data protection and can be included by the parties in a wider contract or be supplemented with other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by this decision.

    Clause 1: Definitions

    Definitions of key notions used in the standard contractual clauses are set out.

    Clause 2: Transfer details

    The parties should list, in an annex to the contractual clauses, the details of the transfers, including the relevant activities of the data importer and exporter, the categories of personal data transferred and the processing operations to which the personal data will be subject once transferred.

    Clause 3: Third-party beneficiary clause

    The clause allows data subjects to enforce several of the clauses against the data exporter, data importer or sub-processor as a third-party beneficiary. It furthermore provides that the parties do not object to a data subject being represented by an association or other body if permitted by national law.

    Clause 4: Obligations of the data exporter

    This clause lays down the contractual obligations for the data exporter, which has to agree and warrant to:

    • process the personal data only in accordance with data protection law;
    • instruct the data importer to process the data only on the data exporter’s behalf and in accordance with data protection law and the clauses;
    • provide (and comply with) sufficient guarantees in respect of technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in particular where processing is over a network;
    • inform the data subject if special categories of data could be transmitted to a non-EU country with inadequate data protection;
    • forward the notification that it has received from the data importer about the latter’s inability to comply with the clauses to the competent supervisory authority, if it decides to continue the transfer;
    • make available to data subjects, upon request, a copy of the clauses, with a summary description of the security measures;
    • in the event of sub-processing, the sub-processor must provide at least the same level of personal data protection as the data importer.

    Clause 5: Obligations of the data importer

    This clause lays down the contractual obligations of the data importer, which has to agree and warrant:

    • to process the personal data only on behalf of the data exporter and in compliance with its instructions and the clauses;
    • that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract;
    • to promptly notify any change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the clauses, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
    • to implement specified technical and organisational security measures before processing the personal data transferred;
    • to promptly notify the data exporter about requests to disclose personal data by a law enforcement authority, any accidental or unauthorised access, and any request received directly from the data subjects without responding to the request, unless otherwise authorised;
    • to deal promptly with all inquiries from the data exporter and to abide by the advice of the supervisory authority;
    • at the request of the data exporter, to submit its data-processing facilities for audit of the processing activities covered by the clauses;
    • to make available to data subjects, upon request, a copy of the clauses, with a summary description of the security measures;
    • to hire a sub-processor only with prior written consent of the data exporter.

    Clause 6: Liability

    The clauses require the parties to agree that any data subject who has suffered damages as a result of any breach of the obligations is entitled to receive compensation from the data exporter for the damages suffered.

    Clause 7: Mediation and jurisdiction

    The data importer must agree that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages, it will accept the decision of the data subject to refer the dispute to independent mediation, or to the courts in the EU country in which the data exporter is established (with the right to seek remedies under other national or international laws).

    Clause 8: Cooperation with supervisory authorities

    This clause governs the cooperation with the competent supervisory authority, by providing that:

    • the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor;
    • the data importer agrees to inform the data exporter about any legislation preventing an audit of the data importer. In such a case the data exporter shall be entitled to suspend data transfer or terminate the contract.

    Clause 9: Governing law

    The clauses should be governed by the national law of the EU country in which the data exporter is established.

    Clause 10: Variation of the contract

    The parties must not vary, modify or contradict the clauses.

    Clause 11: Sub-processing

    The provisions relating to sub-processing should be governed by the law of the EU country in which the data exporter is established.

    Clause 12: Obligation after the termination of personal data-processing services

    This clause regulates the obligations of the parties after termination of the data processing. In particular, the parties should agree that at the end of data-processing services, the data importer and the sub-processor must return (or destroy, on request) all the personal data transferred unless prevented from doing so by legislation.

    FROM WHEN HAS THE DECISION APPLIED?

    It has applied since 15 May 2010.

    BACKGROUND

    KEY TERMS

    Data controller: the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
    Personal data: any information relating to a person (data subject) who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
    Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

    MAIN DOCUMENT

    Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, pp. 5-18)

    Successive amendments to Decision 2010/87/EU have been incorporated into the original text. This consolidated version is of documentary value only.

    RELATED DOCUMENTS

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)

    See consolidated version.

    Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (OJ L 385, 29.12.2004, pp. 74-84)

    Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181, 4.7.2001, pp. 19-31)

    See consolidated version.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, pp. 31-50)

    See consolidated version.

    last update 07.10.2020

    Top