Contractual clauses

If the European Commission does not clearly consider the level of protection of destination countries for data flows as adequate, this does not necessarily mean that no transfers are possible.

Introduction

There are a series of derogations enabling transfers to countries not offering an adequate level of protection. In order to provide legal security to economic actors, EU member states have made it compulsory to apply these derogations to transfers to third countries not offering an adequate level of protection, even though they have not formally been recognized as countries with inadequate protection. One of these derogations is the possibility for controllers to offer adequate protection themselves, by means of a contract. Protection can be offered, for example, through a contract which is binding for those who send the data and those who receive them, and which contains sufficient safeguards regarding data protection.

Controllers have two possibilities: the European Commission's standard contractual clauses or contractual clauses proposed by the company in question.

Both for the European Commission's standard contractual clauses and contractual clauses proposed by a company the Privacy Commission and the Ministry of Justice signed a protocol agreement on 25 June 2013, establishing the rules and procedures to effectively implement the clauses used for data transfers.

This protocol has the advantage of establishing, among others, a specific data for the data transfer. This date is determined by royal decree for clauses which are not the European Commission's clauses but which are nevertheless considered as offering sufficient safeguards. For clauses considered as in conformity with the European Commission's clauses, this is the date of the letter the Privacy Commission sends to the company in question informing it of the conformity.

1. The European Commission's standard contractual clauses

To help controllers, the European Commission has provided for standard contractual clauses that are considered automatically as sufficient safeguards in light of the applicable data protection rules.

This is why in Belgium contracts that are in conformity with the European Commission's standard contractual clauses are not ratified in practice by Royal Decree, nor are they subject to a specific authorisation by the Privacy Commission.

A copy of the contract will nevertheless have to be sent to the Privacy Commission so that it can check whether the document corresponds to the European Commission's standard contractual clauses. This principle has been included in the protocol agreement on contractual clauses signed jointly by the Minister of Justice and the president of the Privacy Commission on 25 June 2013.

Moreover, these processing operations will have to be notified in the Privacy Commission's public register, except in case of exemptions based on the applicable rules regarding notifications.

Below you will find the available standard contractual clauses:

  • contractual clauses for transfers from a controller to a controller
    (first model 2001/497/CE);
  • contractual clauses for transfers from a controller to a controller
    (second model 2004/915/CE);
  • contractual clauses for transfers from a controller to a processor
    (for contracts prior to 15 May 2010: 2002/16/CE; for new contracts since 15 May 2010: 2010/87/EU). Please be advised that the Article 29 Working Party has elaborated FAQs (WP176) about contractual clauses following Decision 2010/87/EU.

2. Contractual clauses proposed by companies

If controllers do not opt for the European Commission's standard contractual clauses, they can nevertheless draw up their own contractual clauses offering sufficient data protection safeguards. In principle these clauses must be ratified with a Royal Decree signed by the Minister of Justice, following the opinion of the Privacy Commission.

The protocol signed jointly by the Minister of Justice and the president of the Privacy Commission on 25 June 2013 determines the conditions contractual clauses have to meet to be considered as offering adequate protection, but also the rules for cooperation between the Privacy Commission and the Ministry of Justice to deal with these requests.

In practice the signed contractual clauses have to be sent to the Privacy Commission which will examine them and check whether they offer adequate safeguards. Eequesters will be asked to communicate whether they have adapted their clauses to be in conformity with the European Commission's clauses, or whther the would like to request authorisation by Royal Decree. In the latter case the Privacy Commission will issue an opinion within 60 days after the case file has been completed. If the opinion is favourable, it will prepare a draft royal decree based on the model attached to the protocol agreement. These documents will then be submitted to the Ministry of Justice which will examine whether all procedures have been respected. The ministry will subsequently sign the royal decree and ensure it is published in the Belgian Official Journal.

More detailed information can be found in the protcol agreement concluded between the Ministry of Justice and the Privacy Commission (French/Dutch).