< Back

Share |

A German perspective on International Data Transfers

January 2013

In Germany – as in the rest of the European Union – the transfer of personal data to so called “third countries”, those outside of the European Union and the European Economic Area, is only permitted where the transfer is justified, e.g. by binding corporate rules, consent of the data subject, the use of European standard contractual clauses or the implementation of Safe Harbor Principles by the data importer.

However, in certain cases, the interpretation by German data protection authorities as to when a transfer can be justified is stricter than the other European authorities:

Safe Harbor

ShipThe German data protection authorities have certain reservations against the Safe Harbor Principles as, according to their assessment, these principles do not offer data protection standards that are common with those of the European Union. For this reason, a transfer of personal data to a Safe Harbor certified company is only possible under certain circumstances. The data exporter cannot simply rely on a statement by the data importer that it is Safe Harbor certified, rather the data exporter has to check whether the Safe Harbor Principles are actually adhered to and ensure that the certification is still valid. The data importer must show the data exporter proof of the certification, even if it appears on the Safe Harbor list of the US Federal Trade Commission. Furthermore, the data importer must prove that it is complying with the obligation to notify data subjects about the processing of their personal data and indicate how it fulfils this obligation. The data exporter must keep a record of these checks on the data importer and make this record available to the data protection authorities on request. To avoid any doubt, the German data protection authorities recommend the use of EU standard contractual clauses rather than relying on Safe Harbor.

Commissioned data processing

Key

For commissioned data processing to third countries e.g. outsourcing, offshoring and cloud computing services, the European Commission has published EU standard contractual clauses (controller to processor), for the transfer of data from a data exporter to a data importer (EU Commission decision of February 2010, 2010/87/EU). The use of these model clauses permits commissioned data processing when the processor is situated in a country outside of the EU/EEA. However, according to German legal stipulations, the mere contractual conclusion of these model clauses is not, in itself, sufficient for third country controller to processor transfers. The model clauses will have to be amended by certain additional clauses in order to satisfy German data protection law requirements. These additional clauses can be added to the appendix 1 and 2 of the model clauses and must include provisions on: the subject and duration of the work to be carried out; about the extent, type and purpose of the intended processing; the type of data, and the data subjects. In addition, there must be further information provided about the rectification, erasure and blocking of data and instructions as relevant to any subcontracting of the processing where necessary.

It must be clear from the contract that the controller has authority to issue instructions to the processor and the extent of that authority should be clear. Finally there must an additional clause dealing with the return of data storage media and the erasure of data recorded by the processor after the work has been carried out.

Flag

Even though these “amended EU model clauses” may still cause problems when it comes to the transfer of special categories of personal data, such solutions are generally feasible and accepted by the data protection authorities. However, it has to be ensured that the amendments are made in the appendices of the EU standard contractual clauses, not in the body of the contract. Any amendments to the body of the contract would mean the clauses would have to be notified to the German data protection authorities in order to justify the transfer abroad.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Flag
Paul Voigt

      


Paul gives an insight into international data transfers from Germany.

"The data exporter must keep a record of these checks on the data importer and make this record available to the data protection authorities on request. To avoid any doubt, the German data protection authorities recommend the use of EU standard contractual clauses rather than relying on Safe Harbor."