As a result the safety of the handling of the personal data may be at stake.
The "transfer" of personal data to third countries that do not have an adequate level of
protection (as regards the handling of personal data) is made possible, inter alia through
protection by way of an agreement that is binding both with respect to the data exporter and the
In order to ensure the safety of the handling of the personal data, the European Commission has
already drawn up a number of standard agreements in the past, in which the provisions of the
"Personal Data Protection" Directive are contractually included.(2)
The responsibilities imposed by these contracts vary according to the parties’ capacities.
On the one hand there is the "Controller". He is the one who has the control of the
personal data and who gives instructions regarding their processing.
Then there is the "Processor". He acts on instruction of the Controller.
Finally, an appeal can still be made to a "Sub-Processor", who as it were carries out
tasks as a subcontractor of the Processor.
The Standard Agreements that are already available refer to the relationship between the
European Controller (Data Exporter), and the non-European Controller (Data Importer), as well as to
the relationship between the European Controller and the non-European Processor and his
There was consequently no specific Standard Agreement to regulate the relationship between a
European Processor of personal data and a non-European Sub-Processor. However, it is not
inconceivable that a European Processor opts to engage a Sub-Processor from a third country. In
order that also this relationship would provide for the necessary guarantees, on 21 March 2014 a
proposal was launched in order to remedy this gap.
The contents of the new Standard Agreement are similar to the Standard Agreements that are
already being used. One of the main features of such agreement is the Third Party Beneficiaries
clause. On that basis, a data subject whose data are processed can bring an action if a party fails
to comply with its contractual obligations. This clause ensures that the individual (data subject)
can enforce and taken action to protect his data rights in the first place against the Data
exporter and, should the Data Exporter no longer exist, against the Data Importer and in the last
instance against the Sub-Processor.
In the existing Standard Agreement, the Controller was always the Data Exporter. The new
agreement provides that the personal data are transferred by the Processor.
Nevertheless, the Controller will in the first place remain liable, should an individual suffer
damage as a result of an incorrect operation in the processing. Only if the Controller no longer
exists, the individual can take action against the Data Exporter and the Data
However, the data subject concerned cannot take action against the Controller under such
agreement. A clause in favour of third parties creates a tripartite relationship, and the
Controller would be a fourth party, which is not allowed by this construction. The liability of the
Controller and the rights of action of the individual concerned will, therefore, result from the
framework agreement entered into by the Controller with the Processor-Exporter.
The conclusion of a framework agreement is an obligation the Data Exporter-Processor must have
fulfilled, if he wants to transfer personal data to a Data Importer-Processor. In such framework
agreement the Controller must undertake a series of obligations that should ensure the safety of
Having regard to the fact that the Controller is not a party to the new agreement, he will have
every reason to give his Processors clear and explicit instructions regarding the processing and
under which circumstances action can be taken against a Data Importer-Sub-Processor. After all,
the Controller will remain the first point of contact.
In any case, it is good news that a uniform legal framework for the transfer of personal data
between European and non-European Processors will be provided for. This proposal will now be
evaluated by the European Commission and only if the Commission’s conclusion is positive, the new
standard agreement can be used.
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
2 Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the
introduction of an alternative set of standard contractual clauses for the transfer of personal
data to third countries and Commission Decision of 5 February 2010 on standard contractual clauses
for the transfer of personal data to processors established in third countries.