Was recently updated.

Contractual clauses

There are a series of derogations enabling transfers to countries not offering an adequate level of protection. In order to provide legal security to economic actors, EU member states have made it compulsory to apply these derogations to transfers to third countries not offering an adequate level of protection. One of these derogations is the possibility for controllers to offer adequate protection themselves, by means of a contract. Protection can be offered, for example, through a contract which is binding for those who send the data and those who receive them, and which contains sufficient safeguards regarding data protection.

Controllers have two possibilities:

  1. the European Commission's standard contractual clauses or
  2. contractual clauses proposed by the company in question itself.

To help controllers, the European Commission has provided for standard contractual clauses that are considered automatically as sufficient safeguards in light of the applicable data protection rules.

Below you will find the available standard contractual clauses:

  • contractual clauses for transfers from a controller to a controller
    (first model 2001/497/CE);
  • contractual clauses for transfers from a controller to a controller
    (second model 2004/915/CE);
  • contractual clauses for transfers from a controller to a processor
    (for contracts prior to 15 May 2010: 2002/16/CE; for new contracts since 15 May 2010: 2010/87/EU). Please be advised that the Article 29 Working Party has elaborated FAQs (WP176) about contractual clauses following Decision 2010/87/EU.

The notification of standard contractual clauses is no longer required. Nevertheless the controller or processor should always be able to submit its standard contractual clauses when requested so by the Belgian Data Protection Authority.

If controllers do not chose for the European Commission's standard contractual clauses, they can nevertheless draw up their own contractual clauses (ad hoc clauses) offering sufficient data protection safeguards. These clauses have to be submitted to the Authority according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 GDPR through the consistency mechanism