Data Processing Agreements

On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”).  The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities.  The Danish clauses serve as a standard data processing agreement that controllers and processors may choose to adopt to fulfill the requirements of Article 28(3) and (4) of the GDPR.  However, note that these SCCs are not standard data protection clauses under Article 46(2)(c) or (d) of the GDPR, and as such, cannot serve as a valid legal mechanism to transfer personal data outside the European Economic Area (“EEA”).
Continue Reading EDPB Publishes Article 28 Standard Clauses Adopted by Danish Supervisory Authority

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.
Continue Reading GDPR Contracts and Liabilities Between Controllers and Processors