As explained in Supplemental Principle 10 (Obligatory Contracts for Onward Transfers), when personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield.

Data controllers in the EU are always required to enter into a contract when a transfer is made for processing purposes only, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor:

  • acts only on instructions from the controller;
  • provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed; and
  • taking into account the nature of the processing, assists the controller in responding to individuals exercising their right to access their personal data.

Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for processing do not require prior authorization (or such authorization will be granted automatically by EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.