The Essentials of Data Transfer Agreements: Key Considerations and Guidelines

What Exactly is a Data Transfer Agreement?

A data transfer agreement is a legal contract between two parties that governs the transfer of data from one to the other. Typically, one of the parties is a data exporter, such as a company that is headquartered in the European Union. The other party could be a data importer, such as a company outside the EU that needs access to certain data – including personal data – as part of its business operations.
Data transfer agreements typically include a range of legal clauses that set out the terms and conditions governing how the data can be used, the security measures that must be put in place to protect it, and the obligations of the parties to cooperate in the transfer of data and to comply with relevant laws and regulations. The data transfer agreement may also include various clauses that specify how disputes between the parties will be resolved , how any intellectual property rights in the data will be protected, and how the parties will manage the legal requirements that arise when transferring personal data out of the EU.
Data transfer agreements are important because they help to ensure that any personal data being transferred out of the EU is done so with appropriate safeguards in place. If the agreement does not contain appropriate safeguards, then the transfer may be illegal. This could result in enforcement action by DPAs and fines for the data exporter – and potentially the data importer too – under the EU’s General Data Protection Regulation and other data protection laws.

Legally Required Components of Data Transfer Agreements

At the EU level, the main legal framework for transfers of personal data to countries outside the EU and the EEA is provided by the General Data Protection Regulation ("GDPR"). Transfers of personal data to other countries not covered by an adequacy decision by the European Commission require the implementation of an appropriate safeguard ("appropriate safeguard"), including to structure a data transfer agreement in accordance with the requirements set out in the GDPR. Moreover, pursuant to Article 28 GDPR, any processor (i.e., the party who processes personal data on behalf of the controller) must only employ subprocessors who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. This underlines the importance of including into your data transfer agreements the necessary provisions obliging subprocessors to be compliant with the GDPR.

Essential Terms & Provisions of a Data Transfer Agreement

The essential elements of data transfer agreements take into consideration the requirements of both the exporter and the recipient. As many GDPR commentators have noted, the GDPR is a strong form of consumer protection. Data exporters want the protection and reassurance of having the strongest, tightest privacy and data security provisions in place, while the data importer wants to be held accountable for how it uses and protects the data.
When drafting a data transfer agreement, the parties should consider including the following provisions: Data protection clauses Liability Measureable, realistic provisions to hold the data importer accountable for transgressions make the agreement stronger. GDPR imposes data security and breach obligations on both data exporters and data importers. Performance under the data transfer agreement may be one element permissible to support the data exporter’s effort to show its compliance with GDPR.
Processor v. Controller The tasks set forth in the data transfer agreement will indicate whether the parties are acting as processor at the direction of the data controller or as independent controllers. Much like the EU-U.S. Framework, organizations may not want to be burdened by a complex and nuanced transfer agreement. Instead, they prefer to use the C2C Model Clauses which are clear, but less flexible and gives data exporters less control.

Forms of Data Transfer – Compliant Procedures

Once a data transfer agreement has been negotiated it is essential that the data is in fact transferred in a secure and appropriate manner. Likely, there will be multiple data transfers within the course of the handling relationship outlined in the agreement, so companies should think about the best methods of transferring the data before such transfers take place. Where possible, the data should be kept and transferred within the European Union. If the data must leave the EU, under UK data protection law it can only be transferred if there is "adequate protection" for it in the third country concerned. This can either be provided by a third country being listed as providing adequate protection by the European Commission, or by contractual clauses with the importer .
CCTV data collected by a system in one country may be accessed remotely from that country. This may not constitute a transfer to a third country if the remote access is from within the EEA. Some CCTV systems automatically transmit video footage over telephone lines to a third party control centre in order to verify whether or not a police response is required. In principle, this should not be a problem as long as the centre is based in the EU. However, if the centre is based outside of the EU the CCTV data will need to be protected by a data transfer agreement or other EU "adequacy" rules.
The UK Information Commissioner has published guidance on International data transfer.

Hurdles and Solutions in Drafting Data Transfer Agreements

Setting the jurisdictional scope of the agreement: Because of the scope of most companies’ operations, it is very likely that different jurisdictions will apply. For example, there might be a local (or national) data protection law where a company is headquartered, a data protection law where the data is transferred to, and the applicable EU Data Protection Law may apply in the context of a transfer from the EU to another region. The Company must determine whether it is subject to just one or multiple jurisdictions and, if the latter applies, which laws are applicable to transfers of personal data from which jurisdiction. A good solution is to ask the parties to indicate in the data transfer agreement their principal places of establishment, and then request those parties to confirm the applicable jurisdiction or jurisdictions in respect of transfer of personal data pursuant to that agreement. If the data transfer agreement also includes members of the same corporate group or other entities that may wish to rely on it, such organizations may enter into a new data transfer agreement with the parties to whom they have been transferred so that the data may be transferred outside the territories in which those groups of entities carry on business.

Creating an Effective Data Transfer Agreement

Companies are urged to adopt best practices in drafting a data transfer agreement with their selected transferring entity. Best practices may include negotiating with the other parties to the agreement who may not be familiar with utilizing data transfer agreements in the past and/or where the transferring parties have differing philosophies on the protections incorporated within the data transfer agreement. Although the parties should have identified the intended terms of the data transfer agreement during the due diligence process, it is important to seek to negotiate terms with the receiving party to ensure that all parties understand the obligations under the data transfer agreement.
When drafting and negotiating data transfer agreements, companies should be mindful of their data protection obligations under applicable data protection laws and regulations, such as the European Union General Data Protection Regulation, state data protection laws, and other applicable laws. It is also imperative for companies to continue to review the types of data that are considered "Personal Data" within the EU to ensure that they are appropriately drafting and executing the data transfer agreement.
In addition, it is important that companies utilize an experienced outside consultant or law firm to assist with customizing certain sections of the data transfer agreement . For instance, the confidentiality obligations set forth in the data transfer agreement may require additions or modifications that are not addressed in the template provisions. In addition, a company’s risk management requirements may necessitate particular contractual protections in the data transfer agreement that may not be set forth in the original template of the agreement.
Finally, certain parties may require additional protections or protections that are not mutually acceptable to all parties. For instance, certain affected parties may seek additional terms, such as those relating to (1) legislation, regulations, or legal action pursued by third parties within a certain jurisdiction, such as the United States; (2) the required process for prior written consent of the affected parties; (3) the rights that a party has to receive the originals and/or copies of certain documents relating to the privacy, data transfer, etc., of the individuals whose data will be transferred; (4) whether transferred data may be included in reports that will be sold to others; and (5) the obligations of the party accepting transferred data to indemnify certain parties for any breaches of the data transfer agreement or applicable data protection laws.