Model contracts, free to use – this is what the EU offers for commissioned processing and for data transfers to „third countries“ such as the USA. You should know these useful working tools.

Documentation is everything

Contracts for the processing of personal data must be documented. Verbal contracts are not enough. This is common knowledge. Because otherwise it is impossible to prove that data protection has been complied with. But where can legally compliant samples be found? The answer is now easy for two important constellations: in June 2021, the European Commission published official sample contracts dealing with the two topics of „data transfer to third countries“ and „commissioned processing“.

The sample contracts are freely available

Anyone is free to use these templates. This does not infringe any copyright in any way. The samples are available free of charge.  And in all 24 official languages of the EU. Everything in official translation, made by the professionals of the EU translation service. Templates of this quality could be produced even by large companies only with enormous effort. So it is a considerable service of the EU Commission.

There are „safe“ and „unsafe“ third countries

One set of model contracts deals with data transfers to third countries. Third countries are all countries that are not members of the EU. For some of these third countries, the European Commission has officially determined that they are, to a certain extent, considered „safe“ in terms of data protection. This is the case, for example, with Switzerland or Japan. For most third countries, however, there is no such determination. The most important example of this is the USA.

Patterns provide legal certainty

In the case of these „unsafe“ third countries, special legal bases are needed in order to be allowed to transfer personal data to companies in these countries. The „EU standard contractual clauses“ are an important legal instrument for this. They can be used when a company in the EU transfers personal data to companies in an „unsafe“ third country.

The cut-off date for the new model contracts was 27th June 2021

The EU’s previous model contracts for transfers to third countries were already over ten years old. During this time, there have been many new technical, but also legal developments. For this reason alone, it was necessary to adapt the model contracts. This has now been done. The new templates have been authoritative since 27th June 2021. Contracts based on the old sample contracts must be adapted by 27th December 2022.

Completely new: sample contracts for commissioned processing

Completely new is the set of model contracts for commissioned processing. Commissioned processing mainly comes into play when a company uses external service providers. They often need personal data from customers or even employees. These are typical use cases for commissioned processing.

They also fit within Germany

For the new „standard contractual clauses between data controllers and processors“, it does not matter whether the service provider is based in Germany or elsewhere in the EU. They are intended precisely for the case where two companies within the EU agree on commissioned processing. But even if the companies involved are based in Germany, they can use the clauses. If, on the other hand, the processor is located in a third country, the standard contractual clauses for data transfers to third countries apply. In a sense, they cover the special case of commissioned processing as well.

The „modular structure“ makes many things easier

An important innovation in all sample contracts is the „modular structure“. It is intended to make their application as simple as possible. It is particularly characteristic of the model contracts for transfers to third countries. Four modules are provided there. They address the respective situation of the companies involved. Module 1, for example, covers the situation where the companies involved are, so to speak, on an equal footing. This is the case when the data transfer takes place between two data controllers with equal rights. Module 2, on the other hand, fits the situation where a company in the EU transfers data to a processor in a third country. Choosing the right module is much easier than it first appears. And then you can start filling out the sample contract right away.