RedlinedFAQ10Art17-300

Draft
Frequently Asked Questions (FAQs)

FAQ 10 - Article 17 contracts

Q: When data is transferred from the EU to the United States only for processing purposes, will a contract be required, regardless of participation by the processor in the safe harbor ?

A: Yes. Data controllers in Europe are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU.The purpose of the contract is to protect the interests of the data controller, ie the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure.

A US organisation participating in the safe harbor and receiving ~~data~~ personal information from the EU merely for processing thus does not have to apply the ~~notice, choice, onward transfer, access and data integrity~~ principles~~. T~~to this information, because the controller in the EU remains responsible for it vis-à-vis the~~se matters,~~ individual in accordance with the relevant EU provisions (which may be more stringent than the equivalent safe harbor principles). ~~The US processor needs only to apply the safe harbor security principle, which will obviate the need for any provisions in the contract regarding security.~~

Participation in the safe harbor nevertheless represents an advantage over non-participation in thesafe harbor ~~in that the party transferring the data will not have to seek an authorisation for the transfer as such or will have that authorization granted automatically because~~ . Because adequate protection ~~as regards the security principle~~ is provided by safe harbor participants~~. C~~,contracts with safe harbor participants for mere processing do not require prior authorization (or ~~approval~~ such authorization will be granted automatically by the Member States ~~or the Commission~~) as is would be required for ~~certain~~ contracts ~~under Article 26 of the Directive~~ with recipients not participating in the safe harbor.