"You can't amend the model clauses!"
I always hear this people saying that you cannot amend the model clauses, even the lawyer make such statement when I approached them for consultation during singing model contractual clauses.
We absolutely can amend the model clauses, provided your terms are purely commercial in nature and do not impact the protection of the data, nor the rights of data subjects or supervisory authorities.
Clause 10 of the 2010 Controller-to-Processor Model Clauses:
"The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause." (emphasis added).
In fact, as if to emphasize the point, the 2010 Model Clause even include an "illustrative" and "optional" indemnification clause.
Similar language exists in the 2004 Controller-to-Controller Model Clauses too at Clause VII:
"The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required." (emphasis added).
(In the interests of completeness, the original 2001 Controller-To-Controller Model Clauses do not expressly permit the addition of commercial clauses, which is as good a reason as any to avoid using them.)
And, if that weren't enough, even the Article 29 Working Party has weighed in on this issue with its FAQs on the 2010 Model Clauses: "7)
Is it possible to add commercial clauses to the Model Clauses?
As clearly stated in clause 10, parties must not vary or modify the Model Clauses, but this shall not prevent the parties from adding clauses on business-related issues where required, as long as they do not contradict the Model Clauses."
Any amendments you make should be purely commercial in nature, or intended to explain how some of the model clause rights should work in practice.
For example,
You might choose to limit the liability between the two parties to the model clauses (but not the data subjects!) by reference to liability caps agreed within a master services agreement between the parties.
Alternatively, you might seek a general, upfront consent from the EU data exporter to the data importer's appointment of sub processors, provided the appointed sub processors fulfill the requirements of the model clauses.
Or you might seek to explain how the EU data exporter can exercise its model clause audit rights against the data importer in practice - for example, through reliance on the data importer's independent third party audit certifications or written responses to audit questionnaires etc.
I always hear this people saying that you cannot amend the model clauses, even the lawyer make such statement when I approached them for consultation during singing model contractual clauses.
We absolutely can amend the model clauses, provided your terms are purely commercial in nature and do not impact the protection of the data, nor the rights of data subjects or supervisory authorities.
Clause 10 of the 2010 Controller-to-Processor Model Clauses:
"The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause." (emphasis added).
In fact, as if to emphasize the point, the 2010 Model Clause even include an "illustrative" and "optional" indemnification clause.
Similar language exists in the 2004 Controller-to-Controller Model Clauses too at Clause VII:
"The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required." (emphasis added).
(In the interests of completeness, the original 2001 Controller-To-Controller Model Clauses do not expressly permit the addition of commercial clauses, which is as good a reason as any to avoid using them.)
And, if that weren't enough, even the Article 29 Working Party has weighed in on this issue with its FAQs on the 2010 Model Clauses: "7)
Is it possible to add commercial clauses to the Model Clauses?
As clearly stated in clause 10, parties must not vary or modify the Model Clauses, but this shall not prevent the parties from adding clauses on business-related issues where required, as long as they do not contradict the Model Clauses."
Any amendments you make should be purely commercial in nature, or intended to explain how some of the model clause rights should work in practice.
For example,
You might choose to limit the liability between the two parties to the model clauses (but not the data subjects!) by reference to liability caps agreed within a master services agreement between the parties.
Alternatively, you might seek a general, upfront consent from the EU data exporter to the data importer's appointment of sub processors, provided the appointed sub processors fulfill the requirements of the model clauses.
Or you might seek to explain how the EU data exporter can exercise its model clause audit rights against the data importer in practice - for example, through reliance on the data importer's independent third party audit certifications or written responses to audit questionnaires etc.
Comments
Post a Comment