After years of discussions, EU regulators have issued a new set of Standard Contractual Clauses to legitimize the transfer of personal data to countries outside the European Economic Area (EEA).1 The new set of clauses reflects the reality that organizations subcontract and may be of particular use in the outsourcing arena and for intra-group transfers to centralized service centers. For the first time, organizations that outsource services involving personal data can transfer that data to their suppliers located outside the EEA, and those suppliers can in turn pass it to subcontractors for further processing, without the need for the customer organization to take any further steps. Such subprocessing of data is built into the terms of the new contractual clauses.
Decision 2010/87/EU2 (the “Decision”), adopted by the European Commission in February 2010 (the “New Model Clauses”) updates and replaces the prior existing Standard Contractual Clauses for Processors, approved by Commission Decision 2002/16/EC (the “Old Model Clauses”) for the transfer of personal data outside the EEA by data exporters (the “Controllers”) to data importers processing data on behalf of Controllers (“Processors”).3
Please see full publication below for more information.