Data exporters can use a series of appropriate safeguards enabling transfers to countries not offering an adequate level of protection. One of these safeguards is the possibility for controllers to offer adequate protection through a contract, which is binding for those who send the data and those who receive them, and which contains sufficient safeguards to protect the personal data.
To help controllers, the European Commission has adopted standard contractual clauses (or “model contracts”) that are considered to offer sufficient safeguards in light of the applicable data protection rules.
The following standard data protection clauses may be used without an authorisation from the CNPD:
- Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA controller (« C-to-C », first set, as annexed in the European Commission’s decision 2001/497/EC)
- Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA controller (« C-to-C », second set, as annexed in the European Commission’s decision 2004/915/EC)
- Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA processor (« C-to-P », as annexed in the European Commission’s decision 2010/87/EU)
The controller or processor should always be able to present its standard data protection clauses when requested so by the CNPD (for example, in case of a control or audit).
- Model contracts for the transfer of personal data to third countries, on the European Commission’s website
- F A Q adopted by the Article 29 Data Protection Working Party (predecessor of the EDPB) on “C-to-P” clauses (WP176)
If controllers or processors do not use for the European Commission's standard contractual clauses, they can draft their own contractual clauses (“ad hoc” clauses) offering sufficient data protection safeguards. These clauses must be submitted to the CNPD in accordance with Article 46 (3) (a) of the GDPR. These clauses will subsequently have to be approved by the European Data Protection Board in accordance with Article 46 (4) of the GDPR through the consistency mechanism.
In accordance with Regulation n°7/2020 of 3 April 2020 of the National Data Protection Commission laying down the amount and payment terms of the fees within the framework of its powers of authorisation and consultation, each controller or processor established on the territory of Luxembourg, who submits contractual clauses to the CNPD for authorisation pursuant to Article 46 paragraph (3) letter a) of the GDPR, must pay a fee of 1.500 € to the CNPD.