Policy statement

Proposed standard contractual clauses for the transfer of personal data from the EU to Third Countries
Electronic commerce project, 17 September 2001

Letter sent to Commissioner Frits Bolkestein

Introduction

These Clauses are designed to ensure an adequate level of data protection when transferring personal data from a data controller in the European Union to another data controller located in a third country. They are supported by a number of business organisations worldwide, including the International Chamber of Commerce (ICC), Federation of European Direct Marketing (FEDMA), the EU Committee of the American Chamber of Commerce in Belgium (Amcham), the Japan Business Council in Europe (JBCE), the Confederation of British Industry (CBI), International Communications Round Table (ICRT), and the European Information and Communications Technology Industry Association (EICTA). Contact details for each organisation are given below.

These Clauses are being submitted to the European Commission for approval as "standard contractual clauses"; the above groups believe that, as recognised in the Commission's decision of June 18, 2001 recognising a set of standard contractual clauses, there should be a variety of clauses available for use by business. If approved, use of the Clauses would provide a simple, inexpensive legal basis under the European Data Protection Directive for transferring personal data from any EU Member State to data controllers in third countries, without the necessity of having the Clauses approved by national data protection authorities. The Clauses are designed to co-exist with the standard contractual clauses approved by the Commission on June 18, and are limited in scope to controller-to-controller transfers. The Clauses provide a flexible alternative to the clauses already approved which better reflect the global business realities of data transfers, while still offering just as high a level of data protection.

Parties may wish to consider including additional commercial provisions in certain areas; illustrative formulations are included at the end of this document.

Contact details:

ICC: Christopher Kuner Tel. +32-2-347 0400 Click here to send a mail.	FEDMA: Axel Tandberg Tel. +32-2-778 9925 Click here to send a mail.	AMCHAM: Pascale Gelly Tel. +33-1-30 70 92 43 Click here to send a mail..com
Heather Rowe Tel. +44-20-7296 2000 Click here to send a mail.
EICTA/ICRT: Armgard von Reden Tel. +32-2-225 2644 Click here to send a mail..com	CBI: Susannah Haan Tel. +44-20-7395 8047 Click here to send a mail..uk	JBCE: Tetsuo Karaki +32-2-712 7850 Click here to send a mail.

---

DATA TRANSFER AGREEMENT

Between

( name)
(address and country of establishment)

hereinafter "Data Exporter"

and

(name)
(address and country of establishment)

hereinafter "Data Importer"

each a "Party", together "the Parties"

Definitions

The following terms shall have the following meanings (as amended from time to time in accordance with the applicable law):

"The Authority" shall mean the relevant data protection authority in the territory in which the Data Exporter is established;
"Clauses" shall mean these Contract Clauses, which are a free-standing document that does not incorporate commercial business terms established by the Parties under separate commercial arrangements;
"Data Controller" shall mean a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
"Data Exporter" shall mean the Party to these Clauses that transfers such Personal Data to the country where the Data Importer is situated;
"Data Importer" shall mean the Party or Parties to these Clauses which receives Personal Data from the Data Exporter for processing in accordance with the terms of these Clauses;
"Data Subject" shall mean a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
"Personal Data" shall mean any information described in Annex B relating to an identified or identifiable natural person;
"Processing" shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available , alignment or combination, blocking, erasure or destruction;
"Sensitive Data" shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

I. Obligations of the Data Exporter

The Data Exporter warrants and undertakes that:

1. The Personal Data have been collected, processed, and transferred in accordance with the laws applicable to the Personal Data, including, where applicable, any necessary notification to the Authority, receipt of any license, and/or consent by Data Subjects, and fulfilment of any legal requirements relating to Sensitive Data, data used for marketing purposes, and automated decisions.
   
   
2. It has used commercially reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations under these Clauses.
   
   
3. It will provide the Data Importer, when so requested, with copies of relevant data protection laws or references to them (not including legal advice) of the country in which the Data Exporter is established.
   
   
4. It will respond to enquiries from Data Subjects and the Authority concerning processing of the Personal Data without excessive delay, or, at its option, will ensure that the Data Importer does so (only with the consent of the Data Importer), provided that the Data Exporter will always respond to all such enquiries if the Data Importer is unwilling or unable to do so.

II. Obligations of the Data Importer

The Data Importer warrants and undertakes that:

1. It will have in place appropriate technical and organisational measures which ensure a level of security appropriate to the risk represented by the processing and the nature of the data to be protected, and which protect all Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
   
   
2. It will have in place procedures to ensure that unauthorised persons will not have access to the exported Personal Data and that any persons it authorises to have access to the Personal Data, including processors, will respect and maintain the confidentiality and security of the Personal Data.
   
   
3. Where required, it has legal authority in the countries where the Personal Data will be processed to receive, store and process such data, to use it for purposes which are not incompatible with those for which it was originally collected or subsequently authorised by the Data Subject (which subsequent authorisation, however, shall not be subject to these Clauses), and to give the warranties and fulfil the undertakings set out in these Clauses.
   
   
4. It will identify to the Data Exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the Personal Data, and will reasonably cooperate in good faith with the Data Exporter and the Authority concerning all such enquiries without excessive delay.
   
   
5. At the request of the Data Exporter, it will provide Data Exporter with evidence of financial resources sufficient for purposes of processing data under these Clauses (which may include insurance coverage).
   
   
6. It will, upon reasonable request of the Data Exporter, submit its data processing facilities, data files and documentation needed for processing to auditing and/or certification by the Data Exporter (or any independent or impartial inspection agents or auditors selected by the Data Exporter and not reasonably objected to by the Data Importer) to ascertain compliance with the warranties and undertakings in these Clauses, with reasonable notice and during business hours, subject to any necessary consent or approval from regulatory or supervisory authorities, which the Data Importer will attempt to obtain in a timely fashion.
   
   
7. It will process the Personal Data, at its option, in accordance with (i) the data protection laws of the country in which the Data Exporter is established; or (ii) the relevant provisions of any Member State decision or Commission decision under Article 25(6) of Directive 95/46/EC (or any superseding text) finding that a third country provides adequate protection in certain sectors of activity, but only if the Data Importer is based in that third country or affiliated with a company in that third country and is not covered by or has not elected to adhere to those provisions; or (iii) the data processing principles set forth in Annex A.

Data Importer to indicate which option it selects:
Initials of Data Importer:

8. It will not disclose or transfer the Personal Data to a third party Data Controller unless it has previously notified the Data Exporter that the Personal Data will be subject to an adequate level of data protection as determined, at the option of the Data Importer, by any of the grounds set forth in Clause II.(g) above.

III. Liability and Third Party Rights

1. Each Party shall be liable to the other Party and to Data Subjects for damages it causes by any breach of these Clauses.
   
   
2. The Parties agree that a Data Subject shall have the right, if the Data Exporter does not enforce these Clauses against the Data Importer within a reasonable period, to enforce as a third party beneficiary this Clause and Clauses I.(d), II.(d), II.(g), III(a), V., and VII. against the Data Importer with regard to his Personal Data. The Data Subject shall have no greater rights as against the Data Importer than would the Data Exporter (except when the Data Subject alleges a breach by the Data Importer).

IV. Applicable Law

These Clauses shall be governed by the law of the country in which the Data Exporter is established, with the exception of processing of the Personal Data by the Data Importer, which shall be governed by Clause II.(g).

V. Resolution of Disputes with Data Subjects or the Authority

In the event of a dispute or claim brought by a Data Subject or the Authority concerning the processing of the Personal Data against either or both of the Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably and as soon as practicable. Each Party shall abide by a decision of a competent court of the Data Exporter's country of establishment or of the Authority which is final and against which no further appeal is possible.

VI. Termination

1. In the event that the Data Importer is in breach of its obligations under these Clauses, then the Data Exporter may temporarily interrupt the transfer of Personal Data to the Data Importer until the breach is repaired or the contract is terminated.
   
   
2. In the event that:
   1. the transfer of Personal Data to the Data Importer has been temporarily interrupted by the Data Exporter for longer than one month;
   2. compliance by the Data Importer with these Clauses would put it in breach of its legal or regulatory obligations in the country of import;
   3. the Data Importer is in substantial or persistent breach of any warranties or undertakings given by it under these Clauses;
   4. a final decision against which no further appeal is possible of a competent court of the Data Exporter's country of establishment or of the Authority rules that there has been a breach of the Clauses by the Data Importer or the Data Exporter; or
   5. a petition is presented for the administration or winding up of the Data Importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the Data Importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs

   
   then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer, shall be entitled to terminate these Clauses upon one month's notice. In cases covered by i), ii), or iv) above the Data Importer may also terminate these Clauses.

3. Either Party may terminate these Clauses if (i) any Commission decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the Data Importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country, in b oth of which cases Clause VI.(d) shall not apply.
   
   
4. In the event of termination of these Clauses, the Data Importer must return all Personal Data and all copies of the Personal Data subject to these Clauses to the Data Exporter forthwith or, at the Data Exporter's choice, will destroy all copies of the same and certify to the Data Exporter that it has done so, unless the Data Importer is prevented by its national law or local regulator from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be actively processed for any purpose. The Data Importer agrees that, if so requested by the Data Exporter, it will allow the Data Exporter, or an inspection agent selected by the Data Exporter and not reasonably objected to by the Data Importer, access to its establishment to verify that this has been done, with reasonable notice and during business hours.

VII. Variation of these Clauses

The Parties may not modify these Clauses so as to adversely affect their data protection obligations toward the Data Subjects as described herein. Third party consent shall not be required for any other variation.

VIII. Description of the Transfer

The details of the transfer and of the Personal Data are specified in Annex B. The Parties agree that Annex B contains confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency. The Parties may execute additional Annexes to cover further transfers. Annex B may also cover multiple transfers.

Dated:

for DATA IMPORTER

for DATA EXPORTER

---

ANNEX A: DATA PROCESSING PRINCIPLES

1. Purpose limitation - Personal Data may be processed and subsequently used or further communicated only for purposes not incompatible with those for which it was originally collected (as described in Annex B) or subsequently authorised by the Data Subject.
2. Data quality and proportionality - Personal Data must be accurate and, where necessary, kept up to date. The Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
3. Transparency - Data Subjects must be provided with basic information (by the Data Exporter or the Data Importer) as to the processing and transfer.
4. Security and confidentiality - Technical and organisational security measures must be taken by the Data Controller that are appropriate to the risks, such as unauthorised access, presented by the Processing. Any person acting under the authority of the Data Controller, including a processor, must not process the data except on instructions from the Data Controller.
5. Rights of access, rectification, deletion and objection - Data Subjects must, at least via a third party, be provided upon reasonable request with the personal information about them that an organisation holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. The Data Subject must also be able to object to the Processing of the Personal Data relating to him if there are compelling legitimate grounds relating to his particular situation.
6. Sensitive Data - If Sensitive Data is to be the subject of Processing hereunder, the Data Exporter and the Data Importer shall take such additional measures as may be necessary to protect the security of such Sensitive Data. Where required by law, the Data Exporter shall obtain explicit consent from Data Subjects to process any Sensitive Data and to transfer Sensitive Data to the Data Importer.
7. Data used for Marketing Purposes - The Data Importer agrees to exclude any Data Subjects from Processing for marketing purposes after receiving notification from a Data Subject or the Data Exporter of such Data Subject's opting out of such use.
8. Automated Decisions - For purposes hereof "Automated Decision" shall mean a decision by the Data Exporter or the Data Importer which produces legal effects concerning a Data Subject or significantly affects a Data Subject and which is based solely on automated Processing of Personal Data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The Data Importer shall not make any Automated Decisions concerning Data Subjects, except where:
   a.
   1. such decisions are made by the Data Importer in entering into or performing a contract with the Data Subject, and
   2. the Data Subject is given an opportunity to discuss the results of a relevant Automated Decision with a representative of the party making such decision or otherwise to make representations to that party.
   or

b. Where otherwise provided by the law of the Data Exporter.

---

ANNEX B: DESCRIPTION OF THE TRANSFER
[To be completed by the Parties]

Data Subjects
The Personal Data transferred concern the following categories of Data Subjects:



Purposes of the transfer[s]
The transfer is made for the following purposes:



Categories of data
The Personal Data transferred concern the following categories of data:



Recipients
The Personal Data transferred may be disclosed only to the following recipients or categories
of recipients:



Sensitive Data (if appropriate)
The Personal Data transferred concern the following categories of Sensitive Data:

ILLUSTRATIVE COMMERCIAL CLAUSES (OPTIONAL)

Indemnification between the Data Exporter and Data Importer:

"The Parties will indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of these Clauses. Indemnification hereunder is contingent upon (a) the Party(ies) to be indemnified (the "Indemnified Party(ies)") promptly notifying the other Party(ies) (the "Indemnifying Party(ies)") of a claim, (b) the Indemnifying Party(ies) having sole control of the defence and settlement of any such claim, and (c) the Indemnified Party(ies) providing reasonable cooperation and assistance to the Indemnifying Party(ies) in defence of such claim."

Dispute Resolution between the Data Exporter and Data Importer (the Parties may of course substitute any other alternative dispute resolution or jurisdictional clause):

"In the event of a dispute between the Data Importer and the Data Exporter concerning any alleged breach of any provision of these Clauses, such dispute shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said rules. The place of arbitration shall be [ ]. The number of arbitrators shall be [ ]."

Allocation of Costs:

Each Party shall perform its obliga tions under these Clauses at its own cost.