First standard contractual clauses for contracts between controllers and processors

The Danish Supervisory Authority has published the final text of the clauses for contracts between controllers and processors in the EDPB’s register.

The Danish Supervisory Authority has published its contractual clauses for contracts between controllers and processors in compliance with Article 28 (3) GDPR, following the EDPB Opinion 14/2019.

The initiative aims at specifying controller and processors provisions and helping organisations to meet the requirements of Article 28 (3) and 28 (4) beyond the GDPR text.

The clauses have priority over any similar provisions contained in other agreements between the parties, but they do not prevent them from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects. The use of the adopted clauses is not mandatory though, and organisations can use their own templates.

What is new?

The Danish standard contractual clauses for contracts between controllers and processors include some additions to Article 28 (3) GDPR:

  • The processor has to keep a list of persons to whom access has been granted under periodic review. The data processor should be able to demonstrate that the concerned persons under the data processor’s authority are subject to confidentiality.
  • The controller can require the processor to implement further security measures.
  • The controller can set up a minimum time period for the processor to submit a request for specific authorization or to inform in writing of any intended changes concerning the addition or replacement of sub-processors.
  • The controller can request a copy of the a sub-processor agreement to ensure that the same data protection obligations as set out in the clauses are imposed on the sub-processor.
  • Specifications with regard to the assistance provided by the processor to the controller.
  • The controller can set up a maximum time period for the processor to notify the controller of a data breach.

It is important to note that, although they are called “Standard Contractual Clauses”, they should not be confused with the Standard Contractual Clauses adopted by the European Commission, which would still need to be added to the agreement where the recipient of the data is based outside of the EU, if no any other mechanisms as BCR or Privacy Shield were provided.

You can find the latest news about the aforementioned clauses in our Schrems II case post.

Do you use data processors? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  Contact us today.