European data protection law prohibits the transfer of personal data (for example, employee records, customer data, and company information collected in the scope of a “due diligence” procedure) outside the EU to countries that do not enjoy an “adequate level of data protection”.
One of the ways to provide for such an adequate level of protection for transfers to countries that have not been formally found to be “adequate” by the EU is for the data exporter in the EU and the data importer outside the EU to conclude a data transfer agreement containing protections for the data. In 2001, the European Commission published a set of standard contractual clauses for controller-to controller transfers (available on the Commission web site given above). The Commission’s adequacy decision means that the new clauses provide adequate protection for data transfers just as the existing clauses do.
The Commission’s approval means that the clauses are officially recognized as granting full protection under EU data protection law for personal data that is transferred from all Member States of the European Union. The alternative clauses give business an important additional tool to satisfy the EU’s stringent restrictions on data exports, and provide additional protections to personal data beyond those contained in the Commission’s present standard contractual clauses. These FAQs answer some preliminary questions regarding the clauses. The clauses themselves are available below and on the Commission’s web site.