Data Processor Export (Non-EU) Agreement

Data Processing Export Agreement - Personal Data Security (Non-EU)


This Data Processing Export Agreement - Personal Data Security (Non-EU) template is designed to be used where an entity (the “Data Exporter”) based in the UK, being a country within the EU, engages an entity based outside the EU (the “Data Importer”), and it collects and uses personal data - for example about its customers and staff - which it transfers to the Data Importer for it to hold/process that personal data for the Data Exporter.

This document is compliant with the new GDPR (General Data Protection Regulation) and can be used both before and after May 2018 when the GDPR comes into effect. 

If after considering the following you decide that you do not wish to or cannot enter into an agreement such as this, you should obtain legal advice as to whether, in the absence of such an agreement, there are alternative steps that you can take, or relevant circumstances, enabling you to comply with the law relating to the transfer of data outside the EU.

The background to this template and the reasons why a Data Exporter may decide that it can or needs to use this template, are as follows:

  • EU Directive 95/46/EC (the “Directive”) requires each EU Member State to ensure that transfers of personal data to a Data Importer outside the EU are only permitted to take place if there is an “adequate level of protection” (within the meaning of Article 25 (2) of the Directive) for the data. As at September 2016, the EU Commission recognises that Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay provide “adequate protection”, and so in cases where the Data Importer is in any of those countries, there will be no need to consider using this template. You can check for any updating of this list of countries on the Commission’s website.
  • Under the Data Protection Act 1998 (the “Act”), a Data Exporter is bound by the Eighth Data Protection Principle which states that personal data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an “adequate level of protection” for the rights and freedoms of personal data of individuals in relation to the processing of personal data. 
  • However, the Directive states that in certain cases (listed in the Directive) a Member State of the EU may authorise such a transfer of personal data to a non-EU country which does not ensure an “adequate level of protection”. One of the exceptional cases listed is where the Data Exporter and Data Importer enter into an agreement on model terms published for the purpose by the EU Commission. By means of a Commission Decision of 2010, the Commission published model terms. This form of agreement closely follows those model terms and so an agreement made using this form will be such an "agreement on model terms".  
  • As explained below, the Act recognises the use of the model terms as an exception to the Eighth Data Protection Principle. The Act states that this Principle does not apply if the Information Commissioner (“IC”) authorises a transfer of data made in such a manner as to ensure adequate safeguards to protect the data, and that the IC must give such authorisation where such transfers are authorised by the EU Commission. Since use of the model terms was authorised by the Commission, the ICO issued that authority in 2010. 
  • A Data Exporter may therefore carry out transfers of data lawfully under the Act where the Data Exporter and Data Importer enter into an agreement on the model terms, but in order for such an agreement to be valid for the purpose of the EU Directive and the Act, the terms of such an agreement must not omit anything from the model terms nor contain anything which contradicts any of the model terms. Such an agreement may however include additional provisions; this leeway is reflected by Clause 11 of this template (although the template agreement does not include any such additional provisions). The template does not omit anything from or include anything contradicting the model terms, and so it is valid for the purposes of the EU Directive and the Act.
  • The General Data Protection  Regulation (GDPR) with effect from 28 May 2018 will repeal and replace the Directive, but the GDPR specifically provides that model terms previously authorised and published by the EU Commission and authorised by the IC may still be used after 28 May 2018 unless and until they are amended or replaced by the IC or a Commission Decision made under Article 46(2) of the GDPR. The GDPR deems references in the model terms to the Directive to be references to the GDPR.  In practical terms, this means that this Data Processing Export Agreement - Personal Data Security (Non-EU) may still be used after 28 May 2018 despite the fact that it refers to the Directive repealed as from 28 May 2018. 
  • This template is drafted on the assumption that both the Data Controller and the Data Importer are corporate business entities, not individuals, but it can be suitably adapted if either or both are some other type of organisation or are individuals.

This Data Processing Export Agreement - Personal Data Security (Non-EU) contains the following clauses:

  1. Definitions
  2. Details of the Transfer
  3. Third Party Beneficiary Clause
  4. Obligations of the Data Exporter
  5. Obligations of the Data Importer
  6. Liability
  7. Indemnity
  8. Mediation and Jurisdiction
  9. Co-operation with Supervisory Authorities
  10. Governing Law
  11. Variation of the Contract
  12. Sub-processing
  13. Obligation after the Termination of Personal Data-Processing Services

This document is in open format. 

Once you have purchased access to the appropriate document folder click on the “Download Document” button below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.