As we all know at this stage model contracts are to be used when transferring information outside of the EU. To refresh people’s memory, there are two versions of these,
Within the contracts, a Data Controller in the EEA is known as a data exporter, whilst the party outside the EEA is known as a data importer.
The key protections in the Model Contract are:
Having all this in place is only the first step. There is a general rule that personal data cannot be transferred to third countries unless that country ensures an adequate level of data protection.
So what does adequacy look like?
The “adequacy” test relates to the scope of the proposed transfer of personal data, including:
The challenge for companies then becomes one of ensuring that that they have the necessary polices and controls in place in order to protect the data. Fundamentally, this becomes an assessment of the data processors data protection practices and this is where the challenge is in the absence of safe harbor.
One could very easily conclude that ensuring that a data processor outside of the EEA should be assessed for adequacy is a prudent and logical step in any event, rather than relying on a self-certified agreement. If the last few days have taught us anything, it is not to rely on self-certification and check for yourself.