Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Commercial technology · Data protection & privacy · 2 January 2020 · Marta Dunphy-Moriel · Alex Dittel

From Denmark with love: Our analysis of the new Danish standard contractual clauses

The final text of the Danish standard contractual clauses was published by the European Data Protection Board (EDPB) on 10 December 2019. The clauses are… Read more

more content below

The final text of the Danish standard contractual clauses was published by the European Data Protection Board (EDPB) on 10 December 2019. The clauses are designed to help organisations comply with Article 28 of the General Data Protection Regulation (GDPR) when engaging a processor. They are not, despite their slightly misleading name, a new international data transfer mechanism nor do they aim to replace the EU standard contractual clauses (Model Clauses).

Why are new clauses desirable?

Reducing negotiations: Designing a standard set of clauses offers an opportunity to address issues of scope, proportionality and liability which often creep up in negotiations of data processing agreements and usually result in onerous processor agreements and/or a hefty bill from the lawyers.

Balancing obligations: Depending on the negotiating position, data processing terms often favour either the controller or processor. Processors frequently struggle with the detailed and disproportionate obligations imposed on them by controllers. Equally, clients struggle with the non-negotiable processing terms of multinational cloud providers. A balanced version is highly desirable.

Unfortunately, unless you operate in Denmark, there doesn’t seem to be a practical benefit in adopting the clauses, whether you act as controller or processor.

Our thoughts on the clauses

Too long and confusing

  • The 18 page-long document (or longer if populated by the parties) is, in our view and experience, less attractive than many shorter versions used in practice.
  • The clauses could benefit from definitions, the text could be simplified, and duplications removed.
  • According to the EDPB opinion, clauses which merely restate the provisions of Article 28 are “inadequate”. However, elaborating on matters that are obvious or adding unnecessary complexity will not get you there either.
  • The document includes unnecessary clauses such as keeping a list of authorised personnel while at the same time mandating access to data on a “need to know basis”.
  • The document refers to “data processor” instead of “processor” as referred to in the GDPR.

Lacks proportionality

  • The obligations are not always limited to personal data processed on behalf of the controller.
  • The issue of the cost of assistance remains unresolved. The document vaguely suggests that the processor has to “… set aside the resources (mainly time) …”.
  • Helpfully, the EDPB opinion clarifies that assistance could simply consist of “an exchange of information”.

Lacks practical solutions

  • The parties are instructed to foresee any potentially unlawful instructions but the document fails to suggest that the controller should ensure the lawfulness of its instructions.
  • The processor has to notify the controller of any processing based on a legal requirement, unless such notification is prohibited on important ground of public interest. The document is silent about a situation where such notification is prevented by law which is not necessarily based on an important ground of public interest.
  • Agreeing a third-party beneficiary clause with the sub-processor in the event of bankruptcy of the processor seems like a good idea but this will rarely be agreeable to the sub-processor.
  • Audit of “physical facilities as well as systems” is mandated without suggesting any practical access limitations and anti-disruption provisions.
  • Details of processing must be completed for each processing activity, but the document does not give examples of what may constitute a processing activity.
  • Given the issues with the document, sub-processors who have to agree to the “same data protection obligations as set out in the contract”[1] will also likely struggle agreeing to it.

Lacks a global view

  • References to articles under the GDPR are made but the document does not reflect the fact that some processors will not be directly subject to the GDPR. It fails to impose certain obligations to compensate for this.

Security

  • The document helpfully stresses that the controller has to explain risks of processing and negotiate the security measures at the outset.
  • Apart from duplication of the GDPR text, measures may be required to address risks of online access, data transmission, storage, security of locations, remote access and logging.

Lacks flexibility

  • The document allows for additional terms “as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.” However, where modified, the parties will not be deemed to have used the standard provisions.
  • As a result, the parties will not benefit from the promise that where the clauses are used the authority “will not examine these provisions in more detail”. However, this benefit is doubtful because it is hard to see how the authority would satisfy itself that the standard clauses were used without examining all provisions.

Overall, the clauses are welcomed and show good commitment from the regulator. We hope that the various industries which desire clarification on data processing terms in their sector will be able to benefit from similar initiatives in future.

[1] Article 28(4) of GDPR.

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Marta Dunphy-MorielMarta Dunphy-Moriel

Alex DittelAlex Dittel

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like


    Notice: Undefined variable: show_default in /home/kemplittle/test.kemplittle.com/wp-content/themes/kemplittle/single.php on line 349
  1. The best way to learn from Thomas Cook and safeguard your agency | TTG media
  2. Coding and law: how coding made me a better paralegal
  3. Podcast | DPO Update: ICO on direct marketing, scientific research opinion, CCTV and fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Compliants
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • Tech Nation logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon


Notice: Trying to get property of non-object in /home/kemplittle/test.kemplittle.com/wp-content/plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension.php on line 330

close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select from the areas of interest below.

Themes

Services

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

close
close
Looking for someone?
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn