top of page

EU Data Protection Directive Article 26(2) Contracts


As discussed in the Litigation Support Tip of the Night for February 27, 2016 Article 26(2) of the EU Data Protection Directive (Directive 95/46/EC) provides that model contracts can be created to transfer personal data outside of the safe harbor or privacy shield framework. Word versions of the these contracts, or contractual clauses can he found here. There are two for the transfer of data to controllers outside the European Union and European Economic Area and one for the transfer of data to processors outside the EU/EEC.

The first contract, Decision 2001/497/EC, for transfer to data controllers contains some interesting provisions in Appendix 2 which sets forth the mandatory data protection principles:

Special categories of data: where data revealing racial or ehtnic origin, political opinions, religious or philosophical beliefe or trade union memberships and data concerning health or sex life and data relating to offences, criminal convictions or security measures are processed, additional safeguards should be in place within the meaning of Directive 95/46/EC, in particular, appropriate security measures such as strong encryption for transmission or such as keeping a record of access to sensitive data.

I have left spelling mistakes in the original Word documents downloaded from the European Commission's site. It's very odd to find these in official documents. Be sure to watch out for them. This provision puts an onus on the data controllers to either encrypt or log access to data about not only an individual's ethnic background, personal health data, political beliefs, and sexual activity, but also apparently security measures meant to protect this information by the individual it concerns.

Rights of access, rectification, erasure and blocking of data: as provided for in Article 12 of Directive 95/46/EC, the data subject must have a right of access to all data relating to him that are processed and, as appropriate, the right to the rectification, erasure or blocking of data the processing of which does not comply with the principles set out in this Appendix, in particular because the data are incomplete or inaccurate. He should also be able to object to the processing of the data relating to him on compelling legitimate grounds relating to his particular situation.

An individual can request access to data about herself or himself and correct or erase data that is incomplete or inaccurate. The Appendix also gives an individual the right to opt out of any programs using her or his data for the purposes of direct marketing. When the data is transferred to other controllers the data subjects must be notified in detail and give their consent, or the new controllers must assent to the provisions of the contractual clause.

The second contract for the transfer of data to controllers, Decision 2004/915//EC, is a revision of the first and contains similar provisions but was modified so that the data exporter and the data importer are not jointly liable for breaches to the data subject, but each have their own due diligence responsibilities.

The third draft contractual clause, for the transfer of data to processors, Decision 2010/87/EU, in addition to provisions guarding against the inadvertent destruction or disclosure of data; notification obligations to the data exporter about access by law enforcement agencies, accidental or unauthorized access, & data requests by subjects; and the right of a supervising authority to conduct an audit of the data importer, the draft contract also provides that the data importer will, "return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so"


bottom of page