The European Commission has adopted a Decision updating the standard contractual clauses for the transfer of personal data to processors established in non-EU countries. The Decision modifies current standard contractual clauses to take account of the expansion of processing activities and new business models for international processing of personal data.

The new Decision contains specific provision to allow, under certain conditions, the outsourcing of processing activities to sub-processors, while ensuring a constant protection of personal data.

Vice-President Jacques Barrot said "The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens' personal data ".

The "controller to processor" standard contractual clauses were approved by Commission Decision 2002/16/EC, in order to provide companies with a tool which ensures adequate protection for personal data when they transfer personal data to processors outside the EU/EEA.

The Decision takes account of he recommendations included in the Report on the implementation of Decisions on standard contractual clauses and proposals by different stakeholders. According to the newly adopted Decision, where a data importer (processor) intends to subcontract any of its processing operations performed on behalf of the EU data exporter (controller), it must first obtain the prior written consent of the data exporter.

The written contract will impose the same obligations on the sub-processor as those imposed on the data importer under the standard contractual clauses. Where the sub-processor fails to fulfil its data protection obligations, the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations. Moreover the sub-processing shall only consist of the processing operations agreed in the initial contract entered into by the data EU exporter and the data importer.

Existing contracts, concluded under clauses approved by Decision 2002/16/EC, shall remain in force as long as the transfers and data processing operations remain unchanged. If the parties to the contract wish to make changes to the contract or wish to introduce sub processing arrangements, they will be required to enter into a new contract, which shall comply with the updated version of the contractual clauses.

National Data Protection Authorities may also authorise other ‘ad hoc’ contractual arrangements for international data transfers, as long as they assume that such contracts provide sufficient safeguards for the protection of the fundamental rights and freedoms and the right to privacy in particular.