On December 10, 2019, the Danish Supervisory Authority (SA) published its final version of Standard Contractual Clauses (SCCs) that data controllers and processors may use to satisfy the General Data Protection Regulation (GDPR) obligation to enter into a data processing agreement.

The Danish SCCs have been reviewed and approved by the European Data Protection Board (EDPB). Accordingly, they constitute an official template containing the contractual provisions that the Danish SA and the EDPB consider important. Because the Danish SCCs have been examined by all EU Supervisory Authorities and approved by the EDPB, they may become the model for data processing agreements across the EU.

Background

The SCCs provide companies with a voluntary and ready-to-use template which may be annexed to a services agreement or used as a stand-alone agreement to govern the processing of personal data by a vendor (a “processor”) on behalf of a company (a “controller”).[1] Companies are free to use the SCCs or to keep using their own templates. The SCCs are not mandatory, even for companies operating in Denmark.

Prior to the GDPR, Supervisory Authorities did not have the power to formally adopt templates for data processing agreements. However, the GDPR authorized Supervisory Authorities to adopt “standard contractual clauses” for the purpose of complying with Article 28 of the GDPR, subject to “the consistency mechanism.” Under this mechanism, the EDPB must review the clauses to ensure the language is acceptable for other national Supervisory Authorities, thus preventing divergent interpretations across the EU. Supervisory Authorities are required to closely follow the EDPB’s opinion. It is noteworthy that the EU Commission can also adopt pan-EU SCCs for the purpose of complying with Article 28 GDPR.[2]

The Danish SA issued a first version of the SCCs in April 2019. The EDPB delivered its Opinion in July 2019. In light of the EDPB Opinion, the Danish SA prepared a final version of the SCCs which was published last December.

Key Points for Controllers

Pursuant to the GDPR, controllers are responsible for the processing of personal data by processors. The SCCs implement this principle by facilitating, to a certain extent, that controllers oversee the processor’s activities. In particular, controllers should be aware of the following clauses:

  • Scope of the processing. Pursuant to the GDPR, vendors should only process personal data in accordance with the controller’s instructions. Market practices vary from providing relatively high-level instructions to fully explaining the details of the processing to be carried out by the vendor (e.g., specifying the types of data that may be collected by the processor and the conditions of the processing). However, in its Opinion on the SCCs, the EDPB clarified that the description of the processing “should be made in the most detailed possible manner.”[3]
  • Liability for unlawful instructions. The processor’s obligation to comply with the controller’s instructions may lead to complex disputes if the controller’s instructions are unlawful. While the GDPR requires the processor to notify the controller if a given instruction is unlawful, it does not apportion the liability if the processor executes the instruction. To address this issue, a note in the SCCs recommends that the parties apportion the liability between them in the event of an unlawful instruction.
  • Audit rights. Pursuant to the GDPR, processors should allow controllers to conduct audits and inspections of their processing activities. While the SCCs invite the parties to reach an agreement on the extent of the controller’s audit and inspection rights, Appendix C.7 and C.8 to the SCCs provide some examples of audit clauses which the parties may The examples in the SCCs indicate that audits should be periodically conducted by independent third-party auditors, which would share the findings (e.g., the audit report) with the controller. According to the example in the SCCs, if the controller believes that the processor did not provide sufficient information or has doubts about the accuracy of the findings in the audit report, it may contest the scope or methodology of the audit. In such cases, the controller is entitled to request that a new audit report be drawn up and disclosed.

Companies that choose to adopt the SCCs without amending the clauses could be subject to a lower degree of scrutiny by regulators in Denmark and, possibly, elsewhere in the EU. The Danish SA announced that, if a company has adopted the SCCs, it would only carry out a marginal check to review that the SCCs have not been altered, which could minimize companies’ regulatory risks.[4] However, despite this statement, companies which adopt SCCs are still required to comply with the SCCs’ provisions and could be subject to regulatory action in case of non-compliance. Companies which adopt SCCs are allowed to introduce further provisions in the agreement, so long as the new provisions do not contradict the clauses drawn up by the Danish SA.[5] For instance, companies could decide to add clauses governing topics such as liability, or applicable law and forum.

Key Concerns for Processors

If a vendor intends to use the SCCs as a basis for processing personal data on behalf of another company, it should consider the following clauses and implications:

  • Security measures. Keeping personal data secure is an obligation for controllers and processors under the GDPR. Data processing agreements typically contain a list of security measures which the processor must However, the SCCs go even further. In addition to the list of security measures which the processor must adopt to fulfill the controller’s instructions (in Appendix C.3), the SCCs also require the processor to carry out its own independent risk assessment. The SCCs even indicate that processors may request information from the controller when necessary to carry out the risk assessment. On the basis of the assessment, processors should adopt the security measures which they deem appropriate. The SCCs, thus, require processors to take a proactive stance concerning data security.
  • Disclosing sub-processor contracts. The SCCs create an obligation for processors to disclose, at the controller’s request, the privacy provisions contained in the contracts entered into with their vendors (the “sub-processors”), to prevent sub-processors from offering lower safeguards than the processors themselves.[6] To minimize disclosure of business sensitive information, the SCCs indicate that sub-processor agreements may be disclosed in a redacted form, excluding commercial terms unrelated to the processing of personal data.[7]
  • Third-party beneficiary clause. The SCCs require processors to include third-party beneficiary clauses in their contracts with sub-processors. These clauses would ensure that a controller may enforce the SCCs directly against the sub-processors if the initial processor is bankrupt. As a consequence, companies which act as sub-processors in many instances (e.g., large cloud providers used by companies to provide services to other companies) may be exposed to claims originating from entities (the controllers) which are not their direct customers.
  • On-premise inspections. In addition to the audit rights discussed above, the SCCs also invite the parties to agree on the right of the controller to physically inspect the processor’s premises where the processing of personal data takes place. The SCCs provide an example clause which parties may adopt in this The example clause indicates that the controller may inspect the processor’s facilities and systems whenever it “deems it required.”[8] In the absence of further clarification as to the extent of this obligation, processors which serve a large number of customers could receive a lot of inspection requests. Moreover, both the audit and the inspection obligations laid down in the SCCs cover sub-processors. Consequently, processors could theoretically be required to conduct periodic audits and/or inspections of their sub-processors and share the results with the controllers. The question remains whether parties will adopt these requirements.

Next Steps

The SCCs adopted by the Danish SA could be a useful tool to streamline vendor onboarding, particularly for SMEs. The possibility of limiting the degree of regulatory scrutiny, as announced by the Danish SA, could become an advantage for companies, especially those operating in Denmark. Additionally, the SCCs have been approved by the EDPB, which indicates that all other Supervisory Authorities in the EU had the chance to voice their concerns and propose amendments to the text. Therefore, the SCCs arguably have de facto EU-wide relevance.

While the impact of the SCCs on market practices is not yet known, they may have the potential of becoming a new “standard” across the EU. As they are the first set of SCCs adopted under the GDPR, they are likely to become a reference point for regulators’ expectations concerning data processing agreements. Furthermore, given their approval by the EDPB, it is possible that the Danish SCCs will be used as a baseline if regulators in other countries decide to develop their own set of SCCs, or if the EU Commission were to adopt SCCs with an EU-wide scope.

In any case, companies considering the Danish SCCs should note that some clauses are rather abstract, “controller-friendly,” and that they may not be a good fit for every outsourcing scenario. Companies should, thus, assess the SCCs carefully before using them, in order to avoid agreeing to clauses which do not suit their processing needs.

[1] These Standard Contractual Clauses should not be confused with the “Model Contracts” or “Standard Data Protection Clauses” for the transfer of personal data outside the EU according to Article 46 GDPR.

[2] Article 28(7) GDPR.

[3] European Data Protection Board, Opinion 14/2019, para. 50.

[4] Danish SA, “Standardkontraktsbestemmelser vedtaget af Datatilsynet,” December 10, 2019, available at https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/dec/standardkontraktsbestemmelser-vedtaget-af-datatilsynet/.

[5] Clause 13(1) of the SCCs; see also European Data Protection Board, Opinion 14/2019, para. 10.

[6] The Danish SA seems to have taken inspiration from the Controller-to-Processor Model Contracts which contain a similar provision See Commission Decision 2010/87/EU, Clause 5(j).

[7] Clause 7(5) SCCs.

[8] Appendix C.7 SCCs.