3.1. Contractual clauses

Data exporters can use a series of appropriate safeguards enabling transfers to countries not offering an adequate level of protection. One of these safeguards is the possibility for controllers to offer adequate protection through a contract, which is binding for those who send the data and those who receive them, and which contains sufficient safeguards to protect the personal data.

3.1.1.       Standard data protection clauses

To help controllers, the European Commission has adopted standard contractual clauses (or “model contracts”) that are considered to offer sufficient safeguards in light of the applicable data protection rules.

The following standard data protection clauses may be used without an authorisation from the CNPD:

• Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA controller (« C-to-C », first set, as annexed in the European Commission’s decision 2001/497/EC)
• Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA controller (« C-to-C », second set, as annexed in the European Commission’s decision 2004/915/EC)
• Clauses for the transfer from a EU/EEA controller to a non-EU/non-EEA processor (« C-to-P », as annexed in the European Commission’s decision 2010/87/EU)

The controller or processor should always be able to present its standard data protection clauses when requested so by the CNPD (for example, in case of a control or audit).

More information:

• Model contracts for the transfer of personal data to third countries, on the European Commission’s website
• F A Q adopted by the Article 29 Data Protection Working Party (predecessor of the EDPB) on “C-to-P” clauses (WP176)

 

3.1.2.       “Ad hoc” clauses

If controllers or processors do not use for the European Commission's standard contractual clauses, they can draft their own contractual clauses (“ad hoc” clauses) offering sufficient data protection safeguards. These clauses must be submitted to the CNPD in accordance with Article 46 (3) (a) of the GDPR. These clauses will subsequently have to be approved by the European Data Protection Board in accordance with Article 46 (4) of the GDPR through the consistency mechanism.

More information:

• Model of draft « ad hoc » contractual clauses “EU data processor to non-EU sub-processor" (« P-to-P »), adopted by the Article 29 Data Protection Working Party (predecessor of the EDPB) (WP214)