FAQ 10 - Article 17 contracts
 
Q: When data is transferred from the EU to the US only for processing purposes, will a contract be required, regardless of participation in the safe harbor ?
 
A: Yes. Data controllers in Europe are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU. The purpose of the contract is to protect the interests of the data controller, ie the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure.

A US organisation participating in the safe harbor and receiving data from the EU merely for processing thus does not have to apply the notice, choice, onward transfer, access and data integrity principles. The controller in the EU remains responsible for these matters, in accordance with the relevant EU provisions (which may be more stringent than the equivalent safe harbor principles). The US processor needs only to apply the safe harbor security principle, which will obviate the need for any provisions in the contract regarding security.

Participation in the safe harbor represents an advantage over non-participation in that the party transferring the data will not have to seek an authorisation for the transfer as such or will have that authorization granted automatically because adequate protection as regards the security principle is provided by safe harbor participants. Contracts with safe harbor participants for mere processing do not require prior authorization or approval by the Member States or the Commission as is required for certain contracts under Article 26 of the Directive.