Do you want to hire a service provider who processes personal data of your employees or customers outside of the European Economic Area (EEA)? Are you a service provider who processes personal data in a third country on behalf of European companies?
In these cases, the EU General Data Protection Regulation (GDPR) mandates that the Europe-wide uniformly applicable data protection level be maintained through data processing in a third country. To this end, a so-called appropriate safeguard is required for a data transfer, according to Art. 44 et seq. GDPR. An adequacy decision of the European Commission or a contractual agreement between controller (exporter of data) and processor (importer of data) must be considered. If there is no adequacy decision, companies must require service providers based in third countries to settle to an agreement upholding certain data protection standards. The European Commission has therefore issued so-called standard contractual clauses to which companies can refer (exact title: standard contractual clauses for the transfer of personal data to processors established in third countries).
With our interactive generator, you can create these standard contractual clauses step-by-step and easily adapt them to your needs. An intuitive questionnaire will help you do this – simply answer the questions and enter the appropriate data when prompted and you will create your standard contractual clauses in under 15 minutes!
You need standard contractual clauses when personal data under your responsibility will be transferred to a third country and there are no other appropriate safeguards for this transfer. Another common safeguard is the adequacy decision, for example. Through an adequacy decision, the European Commission is able to certify that certain third countries have the equivalent of the data protection level of the EEA. This has taken place for the following third countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay as well as the USA subject to the conditions of certification under the EU-U.S. Privacy Shield (accessible at https://www.privacyshield.gov/list).
There are three variations of the standard contractual clauses. Two variations are concerned with the simple data transfer between two controllers. The third is concerned with the transfer between an EEA-based company as the controller and a service provider as a processor based in a third country.
In our generator, we only depict the third variation for the relationship between the controller and the processor.
The contents comprise items from the standard contractual clauses issued by the European Commission: definitions, general principles and stand-alone descriptions of the parties as attachments. In addition, an option or voluntary compensation clause can be incorporated. The content of the standard contractual clauses is, in principle, unchangeable and accordingly must be approved by the parties. The level of protection can be increased through additional regulations; however, this can be implemented in a separate attachment.
Are the standard contractual clauses sufficient in allowing data to be processed in third countries?
A widespread misconception in the industry is that the completion of standard contractual clauses per se is enough to legitimise the transfer of data. The purpose of the completion is solely to ensure the appropriate safeguards to adhere to a consistent data protection level. A standard norm as a legal basis for the transfer can never be constructed this way.
In practice, the standard contractual clauses accompany separately concluded agreements in most cases regarding upholding data protection legal requirements. Thus, in the case where processing is to be carried out on behalf of a controller, the parties must agree upon a contract according to Art. 28 GDPR.
Generally, employee data is handled similarly to sensitive data, such as customer data. In such circumstances, a careful check is required before this data is transferred to a third country. In the case of a transfer to the USA, certification under the EU-U.S. Privacy Shield along with a separate requirement for employee data must be fulfilled. The certified companies must fulfil special human resources requests that fall under the EU-U.S. Privacy Shield. We highly recommend that you seek counsel for your individual case.
Does the standard contractual clauses also cover the situation in which my service provider based in a third country engages another processor (sub-processor)?
The chain of compliance with the levels of protection shall not be broken in this case as well. When the standard contractual clauses are used as the fallback for the appropriate safeguard, these must either be separately signed by each sub-processor, which is often impossible, or the processor is authorised on behalf of the controller to complete the standard contractual clauses with the sub-processor. If necessary, such an authorisation can be included in the underlying and separately concluded data processing agreement.
Please note the following regarding the service scope for creating the standard contractual clauses:
- After completing your purchase, you will receive access for 24 hours to the generator for creating the standard contractual clauses. Access can be obtained through your user account activeMind.shop. Detailed instructions will be sent to you by email immediately following purchase.
- You can use the generator as often as you want during your product’s validity period. Please note the rights of use and exemption from liability in our general terms and conditions.
- Purchasers can create a contract template step-by-step using our generator. You can view the instructions any time on the page with the interactive generator.
- There is no verification of the accuracy of the entered data. The accuracy of all entered data is to be verified by the user. The assistance is so intuitive, that it requires no additional verification.
- The generated product is based exclusively on the European Commission issued standard contractual clauses between controllers and processors, shown here in the original text: 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).
- After you’ve finished entering your data, you can download the resulting MS Word document or copy it to the clipboard to insert it in the application of your choice.
- To protect your data, the resulting text will not be stored on our server. As soon as you close the page or your web browser or your session ends, you must enter your data again.