Standard Contractual Clauses

In order to approve the transfer, the Commissioner must at least be satisfied that the controller has provided adequate safeguards, particularly by means of appropriate contractual provisions in accordance with the proviso of Article 28(3) of the Act. 


To facilitate and
harmonise the implementation of this requirement, the European Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to controllers established outside the EU/EEA and another set for transfers to processors also established outside the EU/EEA.​

1. “(EU-)controller to (Non-EU/EEA-)controller”


The Commissioner encourages the use of standard contractual clauses in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection.  

For more detailed information on model clauses you may access a dedicated section​ on the European Commission's website.


Notwithstanding the above, a transfer of personal data to a third country that does not ensure an adequate level of protection may be effected by a data controller if the data subject has given his unambiguous consent to the proposed transfer, and in the following cases: 

 

(a) is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;


(b) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;


(c) is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims;

(d) is necessary in order to protect the vital interests of the data subject; or

(e) is made from a register that according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that the conditions laid down in law for consultation are fulfilled in the particular case.

Although the Commissioner’s approval is not required in these cases, the transfer of personal data to such third countries should be notified to the Commissioner as a new process or as an amendment, unless it had already been notified in the original notification form. In analysing the data transfer, the Commissioner may request from the data controller any relevant information which he deems necessary, in order to verify that the necessary criteria to transfer under Article 28 are being adhered to.