Module Two: Transfer Controller to Processor (C2P)
Purpose and scope
The purpose of these standard contractual clauses is to ensure
compliance with the requirements of Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of
personal data and on the free movement of such data (General Data
Protection Regulation) for the transfer of personal data to a third
the natural or legal person(s), public authority/ies, agency/ies
or other body/ies (hereinafter “entity/ies”) transferring the
personal data, as listed in Annex I.A. (hereinafter each “data
the entity/ies in a third country receiving the personal data
from the data exporter, directly or indirectly via another
entity also Party to these Clauses, as listed in Annex I.A.
(hereinafter each “data importer”) have agreed to these standard
contractual clauses (hereinafter: “Clauses”).
These Clauses apply with respect to the transfer of personal data as
specified in Annex I.B.
The Appendix to these Clauses containing the Annexes referred to
therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
These Clauses set out appropriate safeguards, including enforceable
data subject rights and effective legal remedies, pursuant to
Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and,
with respect to data transfers from controllers to processors and/or
processors to processors, standard contractual clauses pursuant to
Article 28(7) of Regulation (EU) 2016/679, provided they are not
modified, except to select the appropriate Module(s) or to add or
update information in the Appendix. This does not prevent the
Parties from including the standard contractual clauses laid down in
these Clauses in a wider contract and/or to add other clauses or
additional safeguards, provided that they do not contradict,
directly or indirectly, these Clauses or prejudice the fundamental
rights or freedoms of data subjects.
These Clauses are without prejudice to obligations to which the data
exporter is subject by virtue of Regulation (EU) 2016/679.
Data subjects may invoke and enforce these Clauses, as third-party
beneficiaries, against the data exporter and/or data importer, with
the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);
- Clause 9 - Clause 9(a), (c), (d) and (e);
- Clause 12 - Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Clause 18(a) and (b).
Paragraph (a) is without prejudice to rights of data subjects under
Regulation (EU) 2016/679.
Where these Clauses use terms that are defined in Regulation (EU)
2016/679, those terms shall have the same meaning as in that
These Clauses shall be read and interpreted in the light of the
provisions of Regulation (EU) 2016/679.
These Clauses shall not be interpreted in a way that conflicts with
rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the
provisions of related agreements between the Parties, existing at the
time these Clauses are agreed or entered into thereafter, these
Clauses shall prevail.In the event of a contradiction between these
Clauses and the provisions of related agreements between the Parties,
existing at the time these Clauses are agreed or entered into
thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of
personal data that are transferred and the purpose(s) for which they
are transferred, are specified in Annex I.B.
Clause 7 - Optional
An entity that is not a Party to these Clauses may, with the
agreement of the Parties, accede to these Clauses at any time,
either as a data exporter or as a data importer, by completing the
Appendix and signing Annex I.A.
Once it has completed the Appendix and signed Annex I.A, the
acceding entity shall become a Party to these Clauses and have the
rights and obligations of a data exporter or data importer in
accordance with its designation in Annex I.A.
The acceding entity shall have no rights or obligations arising
under these Clauses from the period prior to becoming a Party.
SECTION II - OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to
determine that the data importer is able, through the implementation
of appropriate technical and organisational measures, to satisfy its
obligations under these Clauses.
The data importer shall process the personal data only on documented
instructions from the data exporter. The data exporter may give such
instructions throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it
is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the
specific purpose(s) of the transfer, as set out in Annex I.B, unless
on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses,
including the Appendix as completed by the Parties, available to the
data subject free of charge. To the extent necessary to protect
business secrets or other confidential information, including the
measures described in Annex II and personal data, the data exporter
may redact part of the text of the Appendix to these Clauses prior to
sharing a copy, but shall provide a meaningful summary where the data
subject would otherwise not be able to understand the its content or
exercise his/her rights. On request, the Parties shall provide the
data subject with the reasons for the redactions, to the extent
possible without revealing the redacted information. This Clause is
without prejudice to the obligations of the data exporter under
Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has
received is inaccurate, or has become outdated, it shall inform the
data exporter without undue delay. In this case, the data importer
shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration
specified in Annex I.B. After the end of the provision of the
processing services, the data importer shall, at the choice of the
data exporter, delete all personal data processed on behalf of the
data exporter and certify to the data exporter that it has done so, or
return to the data exporter all personal data processed on its behalf
and delete existing copies. Until the data is deleted or returned, the
data importer shall continue to ensure compliance with these Clauses.
In case of local laws applicable to the data importer that prohibit
return or deletion of the personal data, the data importer warrants
that it will continue to ensure compliance with these Clauses and will
only process it to the extent and for as long as required under that
local law. This is without prejudice to Clause 14, in particular the
requirement for the data importer under Clause 14(e) to notify the
data exporter throughout the duration of the contract if it has reason
to believe that it is or has become subject to laws or practices not
in line with the requirements under Clause 14(a).
8.6 Security of processing
The data importer and, during transmission, also the data exporter
shall implement appropriate technical and organisational measures to
ensure the security of the data, including protection against a
breach of security leading to accidental or unlawful destruction,
loss, alteration, unauthorised disclosure or access to that data
(hereinafter “personal data breach”). In assessing the appropriate
level of security, the Parties shall take due account of the state
of the art, the costs of implementation, the nature, scope, context
and purpose(s) of processing and the risks involved in the
processing for the data subjects. The Parties shall in particular
consider having recourse to encryption or pseudonymisation,
including during transmission, where the purpose of processing can
be fulfilled in that manner. In case of pseudonymisation, the
additional information for attributing the personal data to a
specific data subject shall, where possible, remain under the
exclusive control of the data exporter. In complying with its
obligations under this paragraph, the data importer shall at least
implement the technical and organisational measures specified in
Annex II. The data importer shall carry out regular checks to ensure
that these measures continue to provide an appropriate level of
The data importer shall grant access to the personal data to members
of its personnel only to the extent strictly necessary for the
implementation, management and monitoring of the contract. It shall
ensure that persons authorised to process the personal data have
committed themselves to confidentiality or are under an appropriate
statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data
processed by the data importer under these Clauses, the data
importer shall take appropriate measures to address the breach,
including measures to mitigate its adverse effects. The data
importer shall also notify the data exporter without undue delay
after having become aware of the breach. Such notification shall
contain the details of a contact point where more information can be
obtained, a description of the nature of the breach (including,
where possible, categories and approximate number of data subjects
and personal data records concerned), its likely consequences and
the measures taken or proposed to address the breach including,
where appropriate, measures to mitigate its possible adverse
effects. Where, and in so far as, it is not possible to provide all
information at the same time, the initial notification shall contain
the information then available and further information shall, as it
becomes available, subsequently be provided without undue delay.
The data importer shall cooperate with and assist the data exporter
to enable the data exporter to comply with its obligations under
Regulation (EU) 2016/679, in particular to notify the competent
supervisory authority and the affected data subjects, taking into
account the nature of processing and the information available to
the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or
trade union membership, genetic data, or biometric data for the
purpose of uniquely identifying a natural person, data concerning
health or a person’s sex life or sexual orientation, or data relating
to criminal convictions and offences (hereinafter “sensitive data”),
the data importer shall apply the specific restrictions and/or
additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third
party on documented instructions from the data exporter. In addition,
the data may only be disclosed to a third party located outside the
European Union (in the same country as the data importer or in another
third country, hereinafter “onward transfer”) if the third party is or
agrees to be bound by these Clauses, under the appropriate Module, or
the onward transfer is to a country benefitting from an adequacy
decision pursuant to Article 45 of Regulation (EU) 2016/679 that
covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to
Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the
processing in question;
the onward transfer is necessary for the establishment, exercise or
defence of legal claims in the context of specific administrative,
regulatory or judicial proceedings; or
the onward transfer is necessary in order to protect the vital
interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with
all the other safeguards under these Clauses, in particular purpose
8.9 Documentation and compliance
The data importer shall promptly and adequately deal with enquiries
from the data exporter that relate to the processing under these
The Parties shall be able to demonstrate compliance with these
Clauses. In particular, the data importer shall keep appropriate
documentation on the processing activities carried out on behalf of
the data exporter.
The data importer shall make available to the data exporter all
information necessary to demonstrate compliance with the obligations
set out in these Clauses and at the data exporter’s request, allow
for and contribute to audits of the processing activities covered by
these Clauses, at reasonable intervals or if there are indications
of non-compliance. In deciding on a review or audit, the data
exporter may take into account relevant certifications held by the
The data exporter may choose to conduct the audit by itself or
mandate an independent auditor. Audits may include inspections at
the premises or physical facilities of the data importer and shall,
where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in paragraphs (b)
and (c), including the results of any audits, available to the
competent supervisory authority on request.
Use of sub-processors
The data importer has the data exporter’s general authorisation for
the engagement of sub-processor(s) from an agreed list. The data
importer shall specifically inform the data exporter in writing of
any intended changes to that list through the addition or
replacement of sub-processors at least [Specify time period] in
advance, thereby giving the data exporter sufficient time to be able
to object to such changes prior to the engagement of the
sub-processor(s). The data importer shall provide the data exporter
with the information necessary to enable the data exporter to
exercise its right to object.
Where the data importer engages a sub-processor to carry out
specific processing activities (on behalf of the data exporter), it
shall do so by way of a written contract that provides for, in
substance, the same data protection obligations as those binding the
data importer under these Clauses, including in terms of third-party
beneficiary rights for data subjects. The Parties agree that, by
complying with this Clause, the data importer fulfils its
obligations under Clause 8.8. The data importer shall ensure that
the sub-processor complies with the obligations to which the data
importer is subject pursuant to these Clauses.
The data importer shall provide, at the data exporter’s request, a
copy of such a sub-processor agreement and any subsequent amendments
to the data exporter. To the extent necessary to protect business
secrets or other confidential information, including personal data,
the data importer may redact the text of the agreement prior to
sharing a copy.
The data importer shall remain fully responsible to the data
exporter for the performance of the sub-processor’s obligations
under its contract with the data importer. The data importer shall
notify the data exporter of any failure by the sub-processor to
fulfil its obligations under that contract.
The data importer shall agree a third-party beneficiary clause with
the sub-processor whereby - in the event the data importer has
factually disappeared, ceased to exist in law or has become
insolvent - the data exporter shall have the right to terminate the
sub-processor contract and to instruct the sub-processor to erase or
return the personal data.
Data subject rights
The data importer shall promptly notify the data exporter of any
request it has received from a data subject. It shall not respond to
that request itself unless it has been authorised to do so by the
The data importer shall assist the data exporter in fulfilling its
obligations to respond to data subjects’ requests for the exercise
of their rights under Regulation (EU) 2016/679. In this regard, the
Parties shall set out in Annex II the appropriate technical and
organisational measures, taking into account the nature of the
processing, by which the assistance shall be provided, as well as
the scope and the extent of the assistance required.
In fulfilling its obligations under paragraphs (a) and (b), the data
importer shall comply with the instructions from the data exporter.
The data importer shall inform data subjects in a transparent and
easily accessible format, through individual notice or on its
website, of a contact point authorised to handle complaints. It
shall deal promptly with any complaints it receives from a data
In case of a dispute between a data subject and one of the Parties
as regards compliance with these Clauses, that Party shall use its
best efforts to resolve the issue amicably in a timely fashion. The
Parties shall keep each other informed about such disputes and,
where appropriate, cooperate in resolving them.
Where the data subject invokes a third-party beneficiary right
pursuant to Clause 3, the data importer shall accept the decision of
the data subject to:
lodge a complaint with the supervisory authority in the Member
State of his/her habitual residence or place of work, or the
competent supervisory authority pursuant to Clause 13;
refer the dispute to the competent courts within the meaning of
The Parties accept that the data subject may be represented by a
not-for-profit body, organisation or association under the
conditions set out in Article 80(1) of Regulation (EU) 2016/679.
The data importer shall abide by a decision that is binding under
the applicable EU or Member State law.
The data importer agrees that the choice made by the data subject
will not prejudice his/her substantive and procedural rights to seek
remedies in accordance with applicable laws.
Each Party shall be liable to the other Party/ies for any damages it
causes the other Party/ies by any breach of these Clauses.
The data importer shall be liable to the data subject, and the data
subject shall be entitled to receive compensation, for any material
or non-material damages the data importer or its sub-processor
causes the data subject by breaching the third-party beneficiary
rights under these Clauses.
Notwithstanding paragraph (b), the data exporter shall be liable to
the data subject, and the data subject shall be entitled to receive
compensation, for any material or non-material damages the data
exporter or the data importer (or its sub-processor) causes the data
subject by breaching the third-party beneficiary rights under these
Clauses. This is without prejudice to the liability of the data
exporter and, where the data exporter is a processor acting on
behalf of a controller, to the liability of the controller under
Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as
The Parties agree that if the data exporter is held liable under
paragraph (c) for damages caused by the data importer (or its
sub-processor), it shall be entitled to claim back from the data
importer that part of the compensation corresponding to the data
importer’s responsibility for the damage.
Where more than one Party is responsible for any damage caused to
the data subject as a result of a breach of these Clauses, all
responsible Parties shall be jointly and severally liable and the
data subject is entitled to bring an action in court against any of
The Parties agree that if one Party is held liable under paragraph
(e), it shall be entitled to claim back from the other Party/ies
that part of the compensation corresponding to its / their
responsibility for the damage.
The data importer may not invoke the conduct of a sub-processor to
avoid its own liability.
The supervisory authority of one of the Member States in which the
data subjects whose personal data is transferred under these Clauses
in relation to the offering of goods or services to them, or whose
behaviour is monitored, are located, as indicated in Annex I.C,
shall act as competent supervisory authority.
The data importer agrees to submit itself to the jurisdiction of and
cooperate with the competent supervisory authority in any procedures
aimed at ensuring compliance with these Clauses. In particular, the
data importer agrees to respond to enquiries, submit to audits and
comply with the measures adopted by the supervisory authority,
including remedial and compensatory measures. It shall provide the
supervisory authority with written confirmation that the necessary
actions have been taken.