The final version of the standard contractual clauses (SCCs) for contracts between controller and processor submitted by the Danish Supervisory Authority has been published in the European Data Protection Board (EDPB) Register for Decisions.
They have been adopted by the Danish Supervisory Authority under article 28(8) GDPR allowing the Supervisory Authority to adopt standard processor agreements.
Update 2022 : The European Commission released in 2021 new Standard Contractual Clauses for international transfers as well as for controller to processor relationship under article 28 GDPR (i.e. within the EU) (Click here for more information and access to the template).
What are the Danish SCCs about?
Though it is called SCCs, these contractual clauses should not be confused with the EU standard contractual clauses adopted by the European Commission in 2010 and that are used to frame data transfers outside of the EU. In this regard, these clauses have been updated in 2021 (see update).
Rather, it is a standard processor agreement as required to be entered into under article 28 GDPR when a controller hires a processor to process personal data on its behalf. These clauses would not be sufficient if the processor were based outside of the EU, an additional transfer mechanism being required (i.e. BCR, SCCs adopted by the EU Commission, Privacy Shield, certification, etc.).
What’s the purpose of the Danish SCCs?
The purpose of the adopted SCCs is to help organisations to meet the requirements of article 28 GDPR with regard to the content of the contract controllers and processors must enter into before starting processing personal data. Indeed, as raised by the EDPB, article 28 cannot be restated as-is in the contract, further specifications being necessary (e.g. assistance to be provided by the processor etc.)
Is it mandatory to use the Danish SCCs from now on?
Using the SCCs remains optional for companies and therefore they may continue using their template if they wish to do so.
However, if they choose to use the SCCs, they must use them as-is and can only add other clauses or additional safeguards that “do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.”
If they are used as-is, the Danish Supervisory Authority will not review the agreement in more detail. If not, the authority will review the contract in the event of an audit.
Can any organisations use the Danish SCCs?
These SCCs having been adopted by the Danish Supervisory Authority, only organisations subject to its competence could benefit from the advantages offered by the use of the Danish SCCs.
However, though they would not benefit from the same advantages, we do not see any reason why other organisations subject to the GDPR could not use the Danish SCCs as well since they are compliant with article 28 GDPR.
Nonetheless, we are of the opinion that it would be difficult for a supervisory authority to challenge the content of these clauses as it has been published in the register of the EDPB. Therefore, it is very likely that, in practice, other supervisory authorities, considering the Danish SCCs as GDPR compliant, do not review them further as well.
When to use the Danish SCCs
The SCCs proposed by the Danish Supervisory Authority are 15 pages long and are very comprehensive. Therefore and though they bring more legal certainty, they may not always be adapted to basic “controller to processor” agreements not requiring lengthy and comprehensive contractual clauses.
However, in these cases, they may still be used as a template and adapted to the circumstances where necessary.