Approved Arrangements for Transferring Personal Data to Third Countries
As outlined in our general guidelines, Irish data controllers cannot transfer personal data to "third countries" – i.e. places outside of the European Economic Area (EEA) – unless certain data protection safeguards are in place. (Note: The European Economic Area is made up of the 27 EU countries as well as Norway, Iceland and Liechtenstein.) In some cases, the third country will be approved by the EU Commission as ensuring "an adequate standard of data protection", and such approval will allow the transfer of personal data to proceed (subject, of course, to the normal data protection rules which apply in all circumstances).
However, where the third country has not been approved in this way, Irish data controllers must rely upon one of nine alternative measures. The alternative measure most likely to be used in practice is the use of arrangements which have been approved in advance by the Data Protection Commissioner – including, in particular, the use of 'model contracts' prepared for this purpose by the EU Commission. Model contracts are now available for downloading on the EU Commission website, and there are also extensive 'frequently asked questions' available for your information. The following information provides a general introduction to the application of model contracts in the Irish context.
A 'model contract' is a general type of contract that includes specific provisions dealing with data protection, and that has been approved either by the EU Commission or by the Data Protection Commissioner. A data controller in Ireland, which wishes to transfer personal data outside of the EEA, can use the model contract as the basis for its relationship with the third-country organisation. The EU-approved model contracts are in the form of blank templates, which can be filled in with the appropriate details (names of the organisations, types of personal data etc.).The EU's model contracts are available for downloading here from the EU Commision website.
There are two different types of model contract:
(i) a contract to facilitate a transfer of personal data between a data controller in the EEA, and a data controller outside the EEA; and
(ii) a contract to facilitate transfer of personal data between a data controller in the EEA, and an agent or subcontractor – referred to as a 'data processor' – located outside the EEA.
The data controller located in the EEA is referred to in the contracts as a data exporter; the other party, located outside the EEA, is termed a data importer.
What safeguards are contained in the model contracts?
In the first type of model contract – between two separate data controllers – there are a number of data protection safeguards. The following is a short summary of some of the main protections:
(i) Adherence to data protection rules
The data importer agrees to process the personal data in accordance with 'mandatory data protection principles', which broadly reflect the data protection rules set out in the Data Protection Directive, 95/46/EC. The mandatory data protection principles are included as an appendix to the contract. The principles include: using personal data only for a purpose which is clearly specified in the contract itself; security and confidentiality of the data; the right to see a copy of personal data about oneself, and to have inaccurate information corrected or deleted; restriction on the onward transfer of personal data to other third countries without a further contract being put in place; and the ability to 'opt-out' of direct marketing practices.
The data exporter agrees to make a copy of the contract available upon request to data subjects – i.e. individuals whose personal details are being transferred. The data importer makes a similar undertaking and also agrees to provide assistance to data subjects wishing to make a complaint. The data importer also agrees to make its facilities available for inspection and audit by the data exporter.
Both the data exporter and data importer agree to cooperate with all reasonable enquiries from data subjects, or from the relevant national data protection authority, regarding the processing of personal data.
The data exporter and importer agree that data subjects shall have the right to sue for damages (against either the data exporter, data importer or both) arising from a breach of the data protection safeguards contained in the contract.
In the case of the second type of contract – i.e. a contract with non-EEA data processors – the contract does not need to specify the same high level of safeguards. This is because the data controller (located in the EEA) remains fully responsible for the personal data, and the data processor acts exclusively on its behalf, in an agency capacity. Accordingly, in this type of model contract, the data processor agrees to abide by the instructions of the data controller, and agrees to comply with security measures which are appropriate to the circumstances of the data transfer, and which are specified in the contract itself.
Do Irish data controllers need to deposit a copy of 'model contracts' with the Data Protection Commissioner?
No. In some EEA countries, data controllers are required to deposit a copy of each 'model contract', which they enter into with a non-EEA data controller or data processor, with the national data protection authority. This requirement does not apply in Ireland. However, the existence of satisfactory contracts is a matter that the Data Protection Commissioner may wish to raise when considering applications for registration under the Act, and in the course of his future programme of 'privacy audits'. Data controllers which do not have the requisite contracts in place, and which cannot point to alternative data protection safeguards, may be subject to enforcement proceedings under the Act.
Yes. The Commissioner can approve contractual clauses, which need not conform exactly to the EU Commission's 'model contracts'. However, the Commissioner will only authorise contracts that provide adequate data protection safeguards. Ordinarily, the Data Protection Commissioner will only consider authorising contracts that are general in nature, i.e. 'model contracts' that can be relied upon by a number of different data controllers within a sector or category. Resource limitations will make it impractical for the Commissioner's Office to authorise individual, company-specific contracts.
Can a data controller simply use its own company-specific contract?
No – not unless the contract has been approved in advance by the Data Protection Commissioner. A contract which a data controller devises for itself, and which deviates in any material respect from the 'model contracts' approved by the EU Commission or by the Data Protection Commissioner, cannot be relied upon as a safe basis for transferring personal data to third countries. Such contracts do not qualify as "authorised by the Data Protection Commissioner", as defined in Section 11 (4) (ix) of the Act.
On the other hand, if a data controller devises a contract which it feels provides suitable data protection safeguards, it is open to the data controller to submit this contract to the Data Protection Commissioner for approval. Contracts approved in this way can be relied upon as a safe basis for transferring personal data overseas.
Back to Menu
Can the Data Protection Commissioner approve arrangements, other than contractual arrangements?
Yes. It is possible that formal arrangements, other than (or in addition to) contractual measures, may amount to 'adequate safeguards' for data protection purposes. If the Data Protection Commissioner approves such an arrangement, it may then be relied upon by the data controller (or by groups of data controllers within a particular sector) as a basis for transferring personal data to third countries.
Back to Menu
|general information about transferring personal data to third countries|
|more about 'approved countries' and model contracts' at the EU Commission website|
|full text of Data Protection Directive, 95/46/EC|