On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”). The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities. The Danish clauses serve as a standard data processing agreement that controllers and processors may choose to adopt to fulfill the requirements of Article 28(3) and (4) of the GDPR. However, note that these SCCs are not standard data protection clauses under Article 46(2)(c) or (d) of the GDPR, and as such, cannot serve as a valid legal mechanism to transfer personal data outside the European Economic Area (“EEA”).
To briefly summarize the background, the Danish SA submitted a draft version of its clauses to the EDPB in early 2019. The EDPB reviewed the draft clauses and responded with an opinion in July 2019 requesting that the Danish SA make several adjustments to the language of the clauses for them to be valid going forward. In response, the Danish SA incorporated all the EDPB’s recommendations, leading to the EDPB’s formal publication of the clauses this week.
The Danish clauses are comprised of a preamble, thirteen substantive sections, and a set of appendices. Parties who implement these clauses must identify the respective controller and processor, fill in information (or choose between options offered) in certain substantive provisions, and complete the appendices (for example, the description of the data processing in Appendix A). However, substantive sections of the clauses that do not require further information from the parties should not be modified, otherwise the parties will not be considered to have implemented the adopted Danish clauses. As noted by the EDPB, one benefit of the clauses is that the Danish SA will not scrutinize an Article 28 agreement between a controller and processor who have implemented them as-is.
Some noteworthy provisions in the Danish clauses include the following:
- End of Section 4 – Recommends that the parties consider consequences that may arise from potentially unlawful instructions from the controller and to “regulate this in an agreement.”
- Clause 5.1 – Requires the processor to keep a list of persons under its authority who are given access to personal data and periodically review/update the list.
- Clause 5.2 – Specifies that the processor has an obligation to demonstrate to the controller, upon request, that such persons are subject to appropriate confidentiality obligations.
- Clause 6.2 – States that the processor has an independent obligation under Article 32 of the GDPR to evaluate risks to personal data and to mitigate such risks, and that the controller must provide the processor with information necessary to identify and evaluate such risks.
- Clause 7.5 – The processor has an obligation to provide its sub-processor agreement to the controller upon request, so the controller may confirm that the sub-processor is held to the same data protection obligations.
- Clause 7.6 – Introduces a third-party beneficiary rights for the controller vis-à-vis the sub-processor, so that the controller can enforce the agreement against the sub-processor in the event that the processor goes bankrupt.