The European Commission has put in place a new standard agreement for the transfer of personal information by data controllers to data processors established outside the European Economic Area (EEA).

Generally, Irish companies cannot transfer personal information (such as customer lists or employee details) outside the EEA or certain other approved countries, such as Switzerland or Jersey, unless at least one of a number of prescribed alternative measures is in place to authorise the transfer. The standard agreement approved by the European Commission is one such measure. 

The decision to update the standard “data controller to data processor” agreement has been made by the European Commission in order to take account of the rapidly expanding scope of data processing activities worldwide. An increase in multi-jurisdictional operations, cloud computing services, business outsourcing and cross-border litigation means that many more Irish businesses are now required to put data transfer agreements in place.  The introduction of the new standard agreement does not affect existing US Safe Harbour arrangements.

The new standard agreement will include additional provisions allowing subcontracting by the data processor of its data processing activities to sub-processors, provided that the sub-processor agrees to treat personal data emanating from an Irish data controller in accordance with Irish data protection standards, for example, by ensuring that appropriate technical and organisational security measures are in place to protect personal information. All new data transfer agreements from 15 May 2010 must be in the new format.