On November 26, 2014, Article 29 Data Protection Working Party (“WP29”) issued a document WP 226 (14/EN) to create a procedure enabling companies to: (i) frame transfers from different EU Member States; (ii) obtain a coordinated position of the competent DPAs regarding the proposed contract; and (iii) decide in particular if the contract is in conformity with a standard contractual clause.
The procedure created by WP 29 should help those corporate groups whose data systems are centralized outside the EEA and have the same set of contractual clauses signed by their different EU subsidiaries. Different DPAs may be tasked with analyzing the same contract in order to assess its compliance with a model clause and there is a risk of discording conclusions.
A bit of background: Article 26.2 Directive 95/46/EC enables companies to use contractual clauses to show sufficient safeguards to legally frame international transfers of personal data from the EU. To facilitate the use of contractual clauses, the European Commission has previously issued three decisions on standard contractual clauses. Two of these regulate transfers from data controllers to data controllers (see here and here); the third regulates transfers from data controllers to data processors (see here).
Generally contracts used by companies to legally frame international transfers are mostly (or entirely) based on the standard contractual clauses. When a contract is compliant with the standard contractual clauses, it reduces the number of national authorizations required for the international transfer of data (depending on national legislation).
The procedure set forth by WP 226 (14/EN) enables a company to have a one-stop check of the compliance of the contract that it signs with different EU subsidiaries with the approved European Commission Model Clauses. This is the procedure:
- Launch of the procedure. The company may decide to ask the DPA it believes is entitled to have the main role, to launch a EU cooperation procedure in order to obtain a common point of view on the contract and, in particular, on whether the proposed contract is compliant with the Standard Contractual Clauses. If the DPA accepts to act as “Lead DPA”, it will simultaneously forward this information to all competent DPAs (i.e., all the DPAs of the countries from where transfers will take place) and identify the proposed reviewer(s) DPA(s). The other competent DPAs will be asked to raise any objections or any particular reasons they deem necessary to be designated as Lead DPA within two weeks.
- Review process. A system of mutual recognition is put in place. If ten or more EU Member States are affected, three DPAs will be involved (one Lead DPA, two (co)reviewer DPAs). If less than ten EU Member States are affected, the results of the Lead DPA will be reviewed by one DPA only.When the Lead DPA decides that the contract is compliant with the SCC, it expresses its opinion in a draft letter which is communicated with the proposed contract to the (co)reviewer(s). The (co)reviewer(s) will assess the contract within one month. If is no answer from a co-reviewer within the given timeframe, it will be deemed to have agreed to the draft letter.
- Co-operation with the other competent DPAs. At the end of the review process, the draft letter, the analysis and the draft contract are communicated to the other competent DPAs. They will have one month to comment. If there is no answer within the timeframe, they will be deemed to have agreed to the draft letter.
- Ending of the co-operation procedure. Once the Lead DPA has finished this process of EU co-operation, it will sign the letter on behalf of the other competent DPAs and send the letter to the company, indicating whether the proposed contract is in conformity with the relevant Standard contractual clauses. The decision relates to conformity, if any, with model clauses. This does not exclude that permits or authorisations at national level are legally required.
WP 226 (14/EN) is available at http://ec.europa.eu…