Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
DANISH SUPERVISORY AUTHORITY: data processing agreement – shall I use the Danish model or the European Standard Contractual Clauses?

DANISH SUPERVISORY AUTHORITY: data processing agreement – shall I use the Danish model or the European Standard Contractual Clauses?

When a personal data processing agreement ends, it is possible using both the Danish model that the European Standard Contractual Clauses. Both are valid, but there can be some disadvantages depend on the situation.

Pursuant to the article 28, paragraph 3, of the General Data Protection Regulation (GDPR), processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller.

Danish personal data processing standard agreement

At the beginning of 2018, the Danish Data Protection Authority has published a model for a personal data processing standard agreement in order to help companies and authorities in being in compliance with some GDPR requirements. The standard agreement was the proposal of the Authority on how a personal data processing agreement shall be realized in order to comply with minimum requirements of the GDPR.

In December 2019, after the opinion of the European Data Protection Board (EDPB), this model became the so called Standard Contractual Clauses, pursuant to the article 28, paragraph 8 of the GDPR.

This means that Standard Contractual Clauses of the Danish Data Protection Authority have a specific juridical character, including the fact that the Supervisory Authority, for example during an investigation, does not verify these clauses.

European Standard Contractual Clauses

On June 4th 2021, the European Commission has also published a series of Standard Contractual Clauses, similar to the model of the Danish Data Protection Authority, between data controller and processors, pursuant to the article 28, paragraph 7 of the GDPR.

During the same day, the European Commission has also published its Standard Contractual Clauses for data transfers to third countries pursuant to the GDPR.

So, what is better to use? Shortest answer

The fact that the European Commission has now published a series of Standard Contractual Clauses does not mean that the model of the Danish Data Protection Authority has anymore the juridical status of before. This simply means that there are different Standard Contractual Clauses which may be selected. It is now part of data controller (and processor) choose which Standard Contractual Clauses it is better to use.

So, what is better to use? Longest answer

If both the data controller and the processor are part and work in Denmark, the Personal Data Protection Authority will recommend to the Standard Contractual Clauses of the Danish Authority, because these ones are already used in Denmark. In other words, there is not a rule for the election of the Standard Contractual Clauses of the European Union instead of the Danish ones.

Anyway, in case of cross border agreements, in which the data controller and the processor or one of them is part and works not only in Denmark but also all over Europe, where it can be applied the General Data Protection Regulation, it could be considered the usage of European Standard Contractual Clauses between data controller and processor, because, with the same conditions, it is probably that is – it will turn – in more used in these cases.

In a situation where one of the parties is located in a country outside Europe which has not been approved by the European Commission as having a sufficiently secure level of data protection (a so-called unsafe third country), it may be useful to consider using the European Commission’s Standard Contractual Clauses for transfers of personal data to third countries, which – if properly completed – may also cover the requirements for a data processor agreement in Article 28 of the General Data Protection Regulation. This would avoid the need to draft several different agreements.

It is important to bear in mind that the use of Standard Contractual Clauses is not a requirement for compliance with the Data Protection Regulation’s rules on data processor agreements.

However, in any event, a contract must be concluded that complies with the minimum requirements of Article 28 of the Regulation.

However, there is a significant advantage in using standard contractual clauses, which consists in the security provided by the legal status of the agreement, which, as mentioned above, means that the EDPB, for example in the context of a supervisory investigation, will not verify the content already established.

SOURCE: DANISH DATA PROTECTION AUTHORITY

Recommended to you

Advanced Research