Information for staff > Data protection > Data protection guidance > Transferring information to other organisations > Contractual requirements for data controller to data controller outside the EEA transfer

Contractual requirements for a transfer of personal data from the University to a data controller outside the European Economic Area (EEA) Purpose This document sets out the requirements for University staff to consider when transferring personal data to a data controller in a country outside the European Economic Area (EEA) and not on the approved list, and provides the required model contract clauses. Who is this guidance for? The information provided on this page has been specifically developed for use by the University of Edinburgh and its staff. This information may be used by other parties in line with our copyright statement. External users must be aware that the information and guidance provided does not constitute legal or professional advice and is specific to the circumstances in which the University of Edinburgh operates. See terms and conditions of use The information on this webpage is also available as a PDF that can be accessed below. PDF of guidance for transfers to a data controller outside the EEA
Background Scope	Requirements European Commission model contract clauses Explanation of model contract clauses	Definitions What is personal data? What is a data controller? Countries in the EEA and on the approved list
Related topics Overview guidance on the issues to consider when transferring personal data to other organisations		Feedback If you have any comments about this guidance document, we would very much appreciate hearing them. Please contact us with your feedback. Feedback form

Scope

This document provides the model contract clauses and guidance for the scenario set out above. An example of a transfer to a data controller outside the EEA is if information is passed to a university in China about a visiting student's grades. 

If you are transferring data under different circumstances, to a data controller in the EEA or in a country on the approved list, or to a data processor, different clauses must be used. Please use the guidance on data transfers to select the appropriate clauses for your situation:

• Transferring information to other organisations: data protection implications

What should I do?

If you need to transfer personal data to a data controller outside the EEA you have four options:

1. Check whether the transfer qualifies for an exemption. If this is the case the transfer can go ahead without the need for a written agreement.
• Exemptions to the prohibition of transfers outside the EEA
2. If the transfer does not qualify for an exemption you should use the European Commission model contract clauses to construct a written agreement. This is the preferred option.
• European Commission model contract clauses
3. If you cannot use the model contract clauses, you may construct your own written agreement. First, establish whether the circumstances of the transfer ensure an adequate level of protection.
• Adequacy assessment
If you are satisfied that adequacy exists, construct a written agreement based on the model clauses used for transferring information to a data controller within the EEA.
• Transferring information to a data controller in the EEA
4. If this is not possible, you may proceed with the transfer without a written agreement only if the third country and the circumstances of the transfer ensure an adequate level of protection.
• Adequacy assessment

European Commission model contract clauses

The European Commission has issued two sets of model contract clauses for use when transferring personal data to data controllers outside the EEA and not on the approved list.  We recommend using the set called ‘SET II Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)’, as it is clearer. 

As the clauses have been officially approved by the European Commission, they must be used in their entirety without addition, deletion or alteration.

• Model contract clause for a data transfer from the University to a data controller based outside the EEA or in a country not on the approved list

Explanation of model contract clauses

The Data Protection Act 1998 requires that appropriate safeguards are in place when transferring personal data to a data controller based in a country outside the EEA or not on the approved list. This is to ensure that the rights of the individual the information is about are still legally protected, as the information will be travelling outside the jurisdiction of European data protection legislation.

The model contract clauses above have been designed do this by setting out the details of the transfer, the obligations of both the University and the data controller, and the liability of both parties should the contract be breached.

Page last updated: Thursday February 17 2011