On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”).  The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities.  The Danish clauses serve as a standard data processing agreement that controllers and processors may choose to adopt to fulfill the requirements of Article 28(3) and (4) of the GDPR.  However, note that these SCCs are not standard data protection clauses under Article 46(2)(c) or (d) of the GDPR, and as such, cannot serve as a valid legal mechanism to transfer personal data outside the European Economic Area (“EEA”).

To briefly summarize the background, the Danish SA submitted a draft version of its clauses to the EDPB in early 2019.  The EDPB reviewed the draft clauses and responded with an opinion in July 2019 requesting that the Danish SA make several adjustments to the language of the clauses for them to be valid going forward.  In response, the Danish SA incorporated all the EDPB’s recommendations, leading to the EDPB’s formal publication of the clauses this week.

The Danish clauses are comprised of a preamble, thirteen substantive sections, and a set of appendices. Parties who implement these clauses must identify the respective controller and processor, fill in information (or choose between options offered) in certain substantive provisions, and complete the appendices (for example, the description of the data processing in Appendix A).  However, substantive sections of the clauses that do not require further information from the parties should not be modified, otherwise the parties will not be considered to have implemented the adopted Danish clauses.  As noted by the EDPB, one benefit of the clauses is that the Danish SA will not scrutinize an Article 28 agreement between a controller and processor who have implemented them as-is.

Some noteworthy provisions in the Danish clauses include the following:

  • End of Section 4 – Recommends that the parties consider consequences that may arise from potentially unlawful instructions from the controller and to “regulate this in an agreement.”
  • Clause 5.1 – Requires the processor to keep a list of persons under its authority who are given access to personal data and periodically review/update the list.
  • Clause 5.2 – Specifies that the processor has an obligation to demonstrate to the controller, upon request, that such persons are subject to appropriate confidentiality obligations.
  • Clause 6.2 – States that the processor has an independent obligation under Article 32 of the GDPR to evaluate risks to personal data and to mitigate such risks, and that the controller must provide the processor with information necessary to identify and evaluate such risks.
  • Clause 7.5 – The processor has an obligation to provide its sub-processor agreement to the controller upon request, so the controller may confirm that the sub-processor is held to the same data protection obligations.
  • Clause 7.6 – Introduces a third-party beneficiary rights clause for the controller vis-à-vis the sub-processor, so that the controller can enforce the agreement against the sub-processor in the event that the processor goes bankrupt.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws…

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide.  Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements related to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer registered on the B-List of the Brussels Bar, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.