Standard Contractual Clauses
National data protection authorities have the option of adopting standard contractual clauses for the purposes of Article 28(3) of Regulation 2016/679 (the GDPR) regarding data processor contracts. The Danish data protection authority has adopted standard contractual clauses regarding data processor agreements in order to ensure the protection of the data subjects’ rights and to make sure that data processors meet the requirements of the GDPR when concluding contracts in accordance with article 28(3) of the GDPR.
The standard contractual clauses have a specific legally binding effect – the use of these templates entail certain benefits for the businesses that use them. Other than making sure that the business meets the requirements of the GDPR, it also means that the Danish Data Protection Authority will not further review the business’ contract clauses during inspection visits.
When a national data protection authority adopts standard contractual clauses for the purposes of GDPR, the clauses must be drawn up in collaboration with other national data protection authorities in the EU to ensure a uniform application of the GDPR among the member states of the EU. The collaboration takes place through the European Data Protection Board (EDPB). The EDPB will review the standard contractual clauses before the national data protection authority can adopt them. The Danish Data Protection Authority published a template of the standard contractual clauses in February 2018 which would help businesses live up to the minimum requirements in the GDPR. The EDPB recognized the template in December 2019 after which the template could be characterized as a standard contractual clause.
Recognition in Norway and Sweden
After the recognition by the EDPB in December 2019, the data protection authorities in Norway and Sweden have declared that they will also recognize the Danish standard contractual clauses. Following this recognition, The Danish Data Protection Authority’s standard contractual clauses will have a legally binding effect in Sweden and Norway. As a result of this, businesses in Sweden and Norway can make use of the Danish contractual clauses as though the clauses were adopted by their own data protection authorities – with no concern of facing criticism from the Swedish and Norwegian data protection authorities in relation to the clauses.
It is not a requirement to use the Danish Data Protection Authority’s standard contractual clauses. Businesses can therefore still use their own contractual clauses/data processor agreements in accordance with article 28 (3). If the business makes use of their own contractual clauses, it is important to make sure they follow the minimum requirements in article 28 of the GDPR. The Data Protection Authority’s standard contractual clauses already meet the requirements of article 28(3) which is why businesses will benefit strongly from using these clauses instead of their own contractual clauses/data processor agreements.
Article provided by: Claas Thöle (NJORD Law Firm, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)