EU Model Clauses FAQ

aEU data protection regulators have determined that reliance on the “Safe Harbor” framework for data protection may not be sufficient for the transfer of personal data across borders. The EU Model Clauses allow customers to comply with EU’s Data Protection Directive relating to cross-border transfers of personal data.


The EU’s Data Protection Directive restrict exporting personal data from the European Economic Area without EU recognized data protection procedures. The Model Clauses are approved by the European Commission and are the preferred way to legitimize the transfer of personal data outside the European Economic Area.


International cloud service providers offering security, availability, and performance, along with ancillary services such as customer and technical support, require flexibility to move personal data of an EU customer outside of the EU in the course of providing services.

Carbonite is willing to sign data protection agreements containing the EU Model Clauses with our EU customers regardless of the customer’s size or value of the customer’s business.
Offering the EU Model Clauses involves investing and building the operational controls and processes required to meet the requirements of the EU Model Clauses. Carbonite has invested in the development of controls and processes for those required in order to achieve SOC - level certification, and we are audited against these controls annually. In addition, we provide disclosure of sub-processors, third party beneficiaries status applied to data subjects, and disclosure of technical and organizational security measures. It is possible that competitors who do not offer the EU Model Clauses either have not implemented these controls and processes or have existing business practices that prevent their compliance with these clauses.
Unless a cloud service provider is willing to agree to the EU Model Clauses, it may be difficult for a customer to have confidence that it can comply with the EU Data Protection Directive’s requirements for the transfer of personal data from the EU to jurisdictions that do not provide “adequate protection” for personal data.
No. EU data protection authorities do not generally view encryption as an alternative to adequacy measures for cross-border transfers of personal data.
Carbonite provides services with the same privacy features, controls, and processes for all customers, even those customers that elect not to sign the EU Model Clauses.