Model clauses for use in contracts involving transborder data flows
23 september 1998

Introduction

These model clauses ("the Clauses") have been prepared by the Working Party on Privacy and Data Protection of the Commission on Telecommunications and Information Technologies of the International Chamber of Commerce. They build on:

• The Recommendation of the Council of the OECD Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980)
• The Council of Europe Convention number 108 of 1981; and
  The Model Contract to Ensure Equivalent Data Protection in the Context of Transborder
• Data Flows (1992) published by the Council of Europe, the Commission of the European Communities and the ICC and endorsed by the OECD.

The Clauses also draw on the recommended contract clauses issued by the Office of the Privacy Commissioner of Hong Kong in Factsheet No. 1 of April 1997.

In preparing the Clauses, the Working Party also reviewed a document entitled "Working Document: preliminary views on the use of contractual provisions in the context of personal data to third countries", adopted on 22 April 1998. The document was prepared by a working party ("the Article 29 Working Party") established pursuant to Article 29 of the Directive 95/46/EC of the European Parliament and Council with regard to the processing of personal data and on the free movement of such data ("the Directive").

The Clauses are intended to assist those who wish to transfer personal data from countries that regulate export of personal data to countries that do not provide protection for personal data that the source country finds adequate¹. By implementing the Clauses, international businesses will be taking positive steps in assuring authorities and individuals in a country from which data is being exported that the data will receive an adequate level of protection in the destination country. The Clauses also allocate responsibility for the protection of this data.

The Clauses create powerful and practical safeguards to protect privacy and fundamental rights of individuals where their data is transferred to countries without an established regime for the protection of personal data. The ICC believes that the Clauses are appropriate contractual clauses for the purposes of Article 26(2) of the Directive which protect personal data transferred to countries outside the EU that are not considered to provide an adequate level of protection for such data. The Clauses may also be useful for exporters of data from countries outside the European Economic Area ("EEA") which do have data protection legislation and would wish organisations importing data into countries without such legislation to adopt the levels of protection in that legislation.

Explanatory notes

The Clauses are based on the experience of international companies that have been exporting personal data for many years. They have been designed so that simple model clauses can be incorporated in contracts between data exporters and data importers, reducing costs and facilitating satisfaction of requirements of data protection authorities. The Clauses will benefit small and medium-sized enterprises in particular which may not be able easily to afford the cost of creating specific clauses themselves.

The Clauses apply to transborder data flows between two parties that involve personal data. They are drafted for use in a two-party transaction. This might occur, for example, between a commercial entity and a data processing service provider in another country or between two members of the same group of companies sharing human resources or other personally identifiable information. The data might be exported by physical transfer of data files, including certain manual files, or by electronic media such as the Internet.

Several jurisdictions have adopted data protection laws that, in essence, impose export controls on certain kinds of personal data.

The Article 29 Working Party, in its preliminary views on the use of contract clauses, listed certain elements which should be spelt out in any contract of this nature - for example a requirement that data should be accurate and, where necessary, kept up to date by the recipient. The Clauses do not spell out the matters listed by the Article 29 Working Party for the export of data from any country in the EEA, since the ICC believes this is not necessary because of the way in which the Clauses are designed to work. The Clauses require the Data Importer to observe the laws on data protection applicable in the Member State where the Data Exporter is established. Since that law will contain all the matters listed by the Article 29 Working Party, it is not necessary to spell them out at length.

 Some of the laws in question seek to ban export of personal data to countries that do not have an "adequate" level of protection, or an "equivalent" level of protection. Others provide for data protection authorities to determine whether export should be allowed. A key factor that should be reviewed in any instance is the contractual safeguards provided for such data. Compliance with these laws creates new obligations with associated costs for businesses and regulators. The Clauses are an appropriate and cost-effective means to fulfil such legal obligations. Their use will be discussed with the relevant regulatory authorities in EU Member States for endorsement under Article 26(2) of the Directive in order to avoid the need to negotiate and seek regulatory approval for transborder data flows on a case -by -case basis. The Clauses will also be submitted to the European Commission which has power, under Article 26(4) of the Directive, to approve contractual solutions, in which event these Clauses would be approved for use throughout the EU.

The Clauses provide an enforcement mechanism. Under the Clauses, as in most export control legislation, the person exporting the data ("the Data Exporter") is the appropriate party to subject to legal responsibility for export and for preventing unauthorised access to, loss of, or alteration to personal data and for protecting it from all other unlawful forms of processing by his contracting party (the "Data Importer"). This is intended to avoid th e legal and practical difficulties of data protection authorities attempting to regulate parties outside their jurisdiction. The Clauses provide that the Data Exporter shall have certain powers and rights to assure compliance by the Data Importer, and require the Data Exporter – who is best equipped to do so – to seek contractual remedies from his business counterpart in the event of a breach of the data protection laws in the country of export. These powers and rights include:

• requiring the Data Importer to submit to verification or audit procedures of its processing facilities and information handling (which could be at the insistence of the data protection authority in the country where the Data Exporter is established)
• requiring submission by the Data Importer to the jurisdiction of a country’s courts for certain relief
• requiring the Data Importer to permit the Data Subject the same rights it would have had against the Data Exporter in respect of the data prior to its export
• an indemnity for violations of contractual provisions
• rights of termination of the Clauses if the Data Importer is in breach of contract; and/or
• return of, or deletion of, the personal data on termination of the relationship for any reason.

This solution also provides data protection authorities with a vehicle to refer complaints and concerns from data subjects Data Subjects in the jurisdiction to the Data Exporter. Consequently, in the majority of cases (i.e. except in cases where the country of processing is not the same as the country of collection) the citizens will be able to express their concerns to the Data Exporter in their own country and language, triggering the local legal requirements applicable to the Data Exporter, and the contractual obligations the Data Exporter has imposed on the Data Importer. This puts the burden of responding to the citizen’s concerns where it properly belongs, on the Data Exporter. This avoids the inconvenient situation where the Data Subject is faced with seeking redress abroad in an unfamiliar legal system and language and perhaps with significant expense. That notwithstanding, the Clauses provide for disputes regarding compliance with the Clauses to be dealt with by an independent body to whose decisions the Data Exporter and the Data Importer will submit.

The Clauses impose compliance obligations and responsibilities on the Data Exporter, who will be most familiar with the relevant law protecting the Data Subject. Such compliance may carry with it cost implications. It is always open to the Data Exporter and Data Importer to negotiate between them how such costs might be allocated. The Clauses have employed the common legal device of indemnification, as occurs, for example, in the recommended contract clauses issued by the Office of the Privacy Commissioner of Hong Kong. However, the parties should be free to negotiate alternate arrangements if they wish to do so or even to negotiate a limit of liability under such an indemnity. The ICC perceives that the concept of an indemnity by the Data Importer to the Data Exporter creates, indirectly, additional comfort for Data Subjects as the existence of such an indemnity will be an additional disincentive to the Data Importer breaching the terms of the Clauses.

 The Clauses do not address the comme rcial aspects of the contractual relationship between the parties which do not raise privacy concerns. These are left for documentation by the parties as they negotiate. Clearly, those matters will be influenced by the type of agreement into which the Clauses are incorporated and could include the following

• details of the processes and principles of good practice which the Data Exporter may wish the Data Importer to adopt in relation to the data, such as time limits for retention, procedures for updating data or specific security measures (for example, having regard to the sensitivity of particular data),
• specific treatment of special data, often referred to as "sensitive data",
• the purpose or purposes for which the personal data were collected,
• any other audit rights which the Data Exporter deems necessary to protect itself,
• where the personal data are used for direct marketing purposes, the data subject’s right to "opt-out" from having his/her data used, or further transferred, for such purposes,
• limitation of liabilities under the indemnities (or for breach of the Clauses generally),
• where automated individual decisions are to be taken which trigger specific rights for data subjects, provision could be made to enable such data subjects to exercise those rights,
• a provision as to which party would bear the cost of any investigations carried out pursuant to these clauses,
• a dispute resolution mechanism for disputes between the Data Exporter and the Data Importer other than that set out in Clause five of the Clauses,
• stipulating the uses of the personal data that the Data Important may make,
• seeking performance bonds from the Data Importer.

Many of the above are part of the general data protection requirements of the Directive.

The Article 29 Working Party has expressed its view that contractual solutions will be most effective in transfers between members of the same group of companies or where the parties to the contract are large operators already subject to public scrutiny and regulation² Large international networks, such as those used for credit card transactions and airline reservations, demonstrate both of these characteristics and thus are situations in which contracts may be most useful.

The experience of the ICC, however, is that its efforts in promoting development of commonly accepted practices and principles, including contractual language, makes a form of contract embodying important concepts acceptable to a broad spectrum of enterprises. As the forms and practices become more widely known and accepted, they are then readily adopted by the general business community, including small and medium sized enterprises and, consequently, the ICC believe these clauses, or variations on them, may be more widely applicable than the Article 29 Working Party believes.

Parties wishing to incorporate the Clauses into their contracts may do so by inserting the following sentence, or a similar one, into their written agreements:

 "The parties hereto agree that the ICC Model Clauses For Use In Contracts Involving Transborder Data Flows, Publication No.___ (1998), are hereby incorporated by reference in this agreement as if fully set out herein."

Definitions

For the purposes of these clauses (the "Clauses"), the following terms shall have the following meanings:

"The Authority" means the relevant data protection authority in the territory in which the Data Exporter is established;
"Data Controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
"Data Exporter" shall mean the party identified elsewhere in this contract which transfers such personal data to a the country where the Data Importer is situated;
"Data Importer" shall mean the party to this contract as identified elsewhere herein in this contract which receives personal data from the Data Exporter for processing in accordance with the terms of this contract;
"Data Processor" means a natural or legal person, public authority, agency or any other body which processes data on behalf of the Data Controller;
"Personal Data" or "personal data" shall mean any information relating to an identified or identifiable natural person and the personal data the subject of these Clauses is described in [Schedule [  ]] [Appendix][Annex][A] to this contract;
"Data Subject" is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
"Processing" or "processing" shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
"Sensitive Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

1. Warranties of the Data Exporter.

The Data Exporter warrants that:

• The Personal Data to be exported have been collected and processed in accordance with notice, consent or other requirements of all relevant laws of the country in which the Data Exporter is established;
• Where applicable, it is registered with the Authority and, where required, has provided notice that it exports personal data and/or has received any licence or consent necessary to do so lawfully in the country in which it is established; and
• Its processing of the personal data, as notified by the Data Exporter to the Data Importer, will not violate any current law or regulation of the country where the Data Exporter is established.

2.Undertakings of the Data Exporter and Disputes with Data Subjects or Data Protection Authorities.

• The Data Exporter will take such actions as are necessary to ensure it has fulfilled, and will continue to fulfil the warranties set out in Clause 1.
• The Data Exporter will promptly respond to enquiries from the Authority about the use of the relevant personal data and to any Data Subject’s enquiry concerning use of his or her personal data, (including whether the same has been exported by it) and provide the enquirer with the name of the Data Importer and the individual responsible at the Data Importer who will be informed of the enquiry and who will respond to inquiries from its national authorities.
• The Data Exporter confirms that, on request by the Data Importer, the Data Exporter will supply a copy of the current laws in relation to the data protection applicable in the country where the Data Exporter is established. It also undertakes to notify the Data Importer as soon as possible of any changes to the said applicable laws.
• In the event of a dispute between the Data Exporter or the Data Importer and a Data Subject or the Authority concerning the Data Importer’s processing of personal data, which dispute is not amicably resolved, the Data Exporter agrees to use reasonable efforts to defend the lawfulness of the Data Importer’s processing of the Data Subject’s personal data through available means of dispute resolution between Data Controllers and Data Subjects, or between Data Controllers and the Authority, as applicable, provided for in the country where the Data Exporter is established. The Data Importer agrees to abide by the decision of the Authority (or other authority or tribunal having jurisdiction of the dispute) with respect to such processing as finally affirmed by the judicial authority to which appeal of such decision may be made, as if it were party to the proceedings. The Data Importer hereby authorises the Data Exporter to settle any such dispute without recourse to completion of all such formal dispute resolution formalities pursuant to advice of counsel reasonably acceptable to the Data Exporter that such settlement is warranted and reasonable in the circumstances. The Data Importer shall execute and deliver to the Data Exporter any further documents or instruments necessary under the laws of any relevant jurisdiction to give effect to the foregoing.
• The Data Exporter shall notify to Data Importer, prior to export of any personal data to the Data Importer, the purposes for the use of such data.

3. Warranties of the Data Importer

The Data Importer warrants that it has:

• full legal authority in the country where the personal data will be processed to receive, store and process such data, to use it for the purpose(s) for which it has been collected by the Data Exporter, as set out herein, and to give warranties and fulfil the undertakings set out in this Clause 3,
• in place appropriate technical and organisational measures against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and adequate security programs and proce dures to ensure that unauthorised persons will not have access to the data processing equipment used to process the exported personal data, and that any persons it authorises to have access to the personal data will respect and maintain the confidentiality and security of the personal data, and
• security programs and procedures under 3(b) above, which reflect the level of damage that might be suffered by the Data Subject as a result of unauthorised access and disclosure and which specifically address the nature of Sensitive Data, where necessary.
  
  

4. Undertakings of the Data Importer.

The Data Importer undertakes to

• do such actions as are necessary to ensure it has fulfilled, and will continue to fulfil, the warranties set out in Section 3,
• process the personal data in accordance with the laws of the country in which the Data Exporter is established,
• provide the Data Subject the same rights of access, correction, blocking, suppression or deletion available to such individual in the country in which the Data Exporter is established,
• not use the personal data for a purpose not compatible with that notified to it under 2(e) above, or as may otherwise be authorised by the Authority or the laws or any relevant regulatory body in the country in which the Data Exporter is established,
• use the personal data solely for its own use and not disclose or transfer the personal data to a third party or a third country without the prior consent of the Data Exporter and such consent will not be given unless the Data Exporter is satisfied with all the terms of such disclosure or transfer and that the personal data will receive an adequate level of security after such disclosure or transfer,
• appoint, and identify to the Data Exporter and to the Authority, an individual within its organisation authorised to respond to enquiries from the Authority or a Data Subject concerning its processing of his or her personal data. The Data Importer will deal with all enquiries relating to the personal data promptly, including those from the Data Exporter and the Authority, and in any event within any time frame stipulated by applicable laws in the country in which the Data Exporter is established,
• submit its data processing facilities, data files and documentation needed for processing to auditing and/or certification by the Data Exporter (or other duly qualified auditors of inspection authorities not reasonably objected to by the Data Importer and approved by the Data Exporter to ascertain compliance with the warranties and undertakings in these Clauses),
• comply with any changes in applicable laws notified to it by the Data Exporter. In the event it is unable to do so, it shall forthwith notify the Data Exporter and the Data Exporter shall be entitled to terminate this agreement, unless the parties have agreed or forthwith agree to take such steps as shall enable Data Importer to so comply, and
• notify the Data Exporter of any provisions in its local law, or of any changes i n that law, which does or could affect the Data Importer's ability to perform its obligations under these Clauses.

5. Dispute Resolution. Disputes between Data Importer and Data Exporter

In the event of a dispute between the Data Importer and the Data Exporter concerning any alleged breach of any provision of these Clauses, such dispute shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said rules.

6.Indemnities

The Data Exporter and the Data Importer will indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss resulting from its breach of any of the provisions of these Clauses.

7.Termination

In the event that

• the Data Importer gives notice to the Data Exporter under Clause 4(h) above;
• the Data Importer is in breach of any warranties or undertakings given by it under these Clauses;
• the Authority or other tribunal or court in the country in which the Data Exporter is established rules that there has been a breach of any relevant laws in that jurisdiction by virtue of the Data Importer's processing of the personal data, the Data Exporter, without prejudice to any other rights which it may have against the Data Importer, shall be entitled to terminate these Clauses forthwith.
• In the event of termination of these Clauses, the Data Importer must return all personal data and all copies of the personal data, the subject of these Clauses to the Data Exporter forthwith or, at the Data Exporter's choice, will destroy all copies of the same and certify to the Data Exporter that it has done so, unless the Data Importer is prevented by its national law or local regulator from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be processed for any purpose. The Data Importer irrevocably agrees with the Data Exporter that, if so requested by the Data Exporter or the Authority, it will allow the Data Exporter or the Authority access to its establishment to verify that this has been done or will allow access for this purpose by any duly authorised representative of the Data Exporter.
  

8. Data Processors

Where the Data Importer is a Data Processor and the Data Exporter is in the EEA, the following shall apply

• the Data Processor will observe the obligations of a Data Controller under the Directive in respect of the Personal Data being processed by it; and
• the Data Processor shall act only on the instructions of the Data Exporter.

9. Governing Law

The laws which shall govern these Clauses shall be the laws of the country in which the Data Exporter is established.

• In some countries "adequate" may not be the proper term of reference. Persons using the model contact should refer to the appropriate legislative text for the country in question.

  In the German 'Bahncard' case, involving Citibank, the Berlin Data Protection Commissioner co-operated with the American banking supervisory authorities. The data were transferred pursuant to a contract detailing the data processing arrangements, particularly relating to security and excluded all other uses of the data by the recipient.
  
  Back to ICC statements and rules
  Back to Rules