From Denmark with love: Our analysis of the new Danish standard contractual clauses
The final text of the Danish standard contractual clauses was published by the European Data Protection Board (EDPB) on 10 December 2019. The clauses are… Read more
The final text of the Danish standard contractual clauses was published by the European Data Protection Board (EDPB) on 10 December 2019. The clauses are designed to help organisations comply with Article 28 of the General Data Protection Regulation (GDPR) when engaging a processor. They are not, despite their slightly misleading name, a new international data transfer mechanism nor do they aim to replace the EU standard contractual clauses (Model Clauses).
Why are new clauses desirable?
Reducing negotiations: Designing a standard set of clauses offers an opportunity to address issues of scope, proportionality and liability which often creep up in negotiations of data processing agreements and usually result in onerous processor agreements and/or a hefty bill from the lawyers.
Balancing obligations: Depending on the negotiating position, data processing terms often favour either the controller or processor. Processors frequently struggle with the detailed and disproportionate obligations imposed on them by controllers. Equally, clients struggle with the non-negotiable processing terms of multinational cloud providers. A balanced version is highly desirable.
Unfortunately, unless you operate in Denmark, there doesn’t seem to be a practical benefit in adopting the clauses, whether you act as controller or processor.
Our thoughts on the clauses
Too long and confusing
- The 18 page-long document (or longer if populated by the parties) is, in our view and experience, less attractive than many shorter versions used in practice.
- The clauses could benefit from definitions, the text could be simplified, and duplications removed.
- According to the EDPB opinion, clauses which merely restate the provisions of Article 28 are “inadequate”. However, elaborating on matters that are obvious or adding unnecessary complexity will not get you there either.
- The document includes unnecessary clauses such as keeping a list of authorised personnel while at the same time mandating access to data on a “need to know basis”.
- The document refers to “data processor” instead of “processor” as referred to in the GDPR.
Lacks proportionality
- The obligations are not always limited to personal data processed on behalf of the controller.
- The issue of the cost of assistance remains unresolved. The document vaguely suggests that the processor has to “… set aside the resources (mainly time) …”.
- Helpfully, the EDPB opinion clarifies that assistance could simply consist of “an exchange of information”.
Lacks practical solutions
- The parties are instructed to foresee any potentially unlawful instructions but the document fails to suggest that the controller should ensure the lawfulness of its instructions.
- The processor has to notify the controller of any processing based on a legal requirement, unless such notification is prohibited on important ground of public interest. The document is silent about a situation where such notification is prevented by law which is not necessarily based on an important ground of public interest.
- Agreeing a third-party beneficiary clause with the sub-processor in the event of bankruptcy of the processor seems like a good idea but this will rarely be agreeable to the sub-processor.
- Audit of “physical facilities as well as systems” is mandated without suggesting any practical access limitations and anti-disruption provisions.
- Details of processing must be completed for each processing activity, but the document does not give examples of what may constitute a processing activity.
- Given the issues with the document, sub-processors who have to agree to the “same data protection obligations as set out in the contract”[1] will also likely struggle agreeing to it.
Lacks a global view
- References to articles under the GDPR are made but the document does not reflect the fact that some processors will not be directly subject to the GDPR. It fails to impose certain obligations to compensate for this.
Security
- The document helpfully stresses that the controller has to explain risks of processing and negotiate the security measures at the outset.
- Apart from duplication of the GDPR text, measures may be required to address risks of online access, data transmission, storage, security of locations, remote access and logging.
Lacks flexibility
- The document allows for additional terms “as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.” However, where modified, the parties will not be deemed to have used the standard provisions.
- As a result, the parties will not benefit from the promise that where the clauses are used the authority “will not examine these provisions in more detail”. However, this benefit is doubtful because it is hard to see how the authority would satisfy itself that the standard clauses were used without examining all provisions.
Overall, the clauses are welcomed and show good commitment from the regulator. We hope that the various industries which desire clarification on data processing terms in their sector will be able to benefit from similar initiatives in future.
[1] Article 28(4) of GDPR.
Share this blog
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel