Model Contracts for the transfer of personal data to third countries
Clinicea is a Cloud based offering. This implies that the data you store in Clinicea may be stored, backed up or replicated on servers outside of the EU region. This is often necessitated to ensure disaster recovery, high availability and to create redundancy in the event of technical failure. However EU laws required prohibits international transfer of data which may breach the EU citizens right to the privacy of personal data.
Specifically, the EU directive states that,
‘according to Article 25(1), transfer of personal data “may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection”. The essential concern of the Data Protection Directive on this point is to ensure that personal data lawfully processed in the EU (and the EEA) remain subject to safeguards when transferred to third countries. The Data Protection Directive thus determines the situations where personal data may be transferred to third countries. The preferred solution under Article 25 of the Data Protection Directive is one where there is an adequate level of protection; this can be assessed by the Member States or by the European Commission (the Commission has the power to make determinations of adequacy that are binding on EU (and EEA) Member States (Article 25(6)2 ). But there also exist situations where the level of protection has not been assessed and determined but where personal data may nevertheless be transferred to the third country.’
So, the European Commission, on the basis of Article 26 (4) of directive 95/46/EC has deemed that certain standard contractual clauses are required to ensure sufficient safeguards are put in place as required by Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.
The European Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA.
There are 2 legs involved to the data transfer:
1. From your clinic to Clinicea
All Clinicea customers that are located in the EEA must request and complete an additional data processing agreement, which incorporates the Standard Contractual Clauses (for the purposes of Article 26(2) of Directive 95/46/EC). This protects both your data, and the privacy of your customer’s data and meets all requirements of the European Union Data Protection Directive. Please get in touch with us via email@example.com to sign the agreement. In addition, please review the following documents
2. From Clinicea to its Cloud Hosting Partners
We use storage and processing services from Microsoft Azure ie. non-EU data processor. We have established Model Contact Clauses (or Standard Contractual Clauses) with Microsoft Azure to ensure compliance.