Greetings from Brussels!
As is tradition this time of year, the city has begun to decompress with the festive season upon us. Noticeably, there is a sense of balmy calmness on the streets of the EU quarter as offices empty and folks head home for the end-of-year break.
There was an interesting release this last week by the European Data Protection Board, which published the final text of the standard contractual clauses adopted by the Danish data protection authority in accordance with Art 28 of the GDPR in what concerns controller-processor arrangements. The Danish clauses serve as a standard data processing agreement template that controllers and processors may choose to adopt to fulfill the requirements of Article 28 (2) to (4) of the GDPR. The final Danish text can be found here.
For context, back in April 2019, the Danish DPA submitted draft clauses to the EDPB for an opinion. The opinion contains several considerations and guidance elements for the drafting of Article 28 contractual clauses, as well as language recommendations. Those recommendations were subsequently incorporated into the draft text by the Danish DPA resulting in its formal publication by the EDPB and included in the EDPB’s register of decisions taken by the supervisory authorities. Peter Fogh Knudsen, head of International Division at the Danish DPA, the Datatilsynet, said he was delighted to see the SCCs so well received by fellow European supervisory colleagues, highlighting that the overall process within the EDPB consistency mechanism was very constructive.
There are some interesting notes to take on board here. First, it is important state that it is not a mandatory requirement for organizations to use such standard contract provisions to comply with the GDPR's rules on data processing agreements, be they construed by the Danish or any other EU member state authority for that matter. However, that said, a controller-processor agreement must comply with the minimum requirements of Article 28 of the GDPR. To that end, one could argue there is a significant advantage to make use of the Danish DPA’s standard contract provisions insofar that they have been endorsed more broadly and published by the EDPB; there is some security in the knowledge that there is a framework template from which to work.
In speaking with Isabelle Vereecken, the head of the EDPB Secretariat, she discussed an "available and reliable" template that is publicly available incorporating the views of the EDPB. The template will also be made available in all the EU languages. More importantly, Vereecken emphasized the benefits of "legal learnings" that organizations can accumulate thanks to this opinion when looking at existing and future data-processing agreements. For example, the opinion treats areas of importance such as assistance (from processor to controller), data breach notifications, audits, sub-processing, liability, and erasure and return of data.
For those organizations that may not have the resources at hand to confidently draft a data-processing agreement, the template serves as an appropriate and practical model. My sense is that organizations EU wide will benefit from this initiative, particularly small-and-medium sized enterprises. To paraphrase the conclusions of the EDPB opinion, the initiative is welcome and goes some way to contribute to the harmonization of GDPR implementation throughout the EU.
Well done, the Danes!
If you want to comment on this post, you need to login.