The Swedish and Norwegian Data Protection Authorities have recognized the Danish standard contractual clauses in relation to data processor agreements

25.06.2020

The Danish Protection Authority has adopted standard contractual clauses in accordance with article 28(3) of the GDPR. The national data protection authorities in Sweden and Norway have declared that they recognize the Danish standard contractual clauses which is why Swedish and Norwegian businesses can make use of these standard contractual clauses as though they were adopted by their own regulatory authorities.

Standard Contractual Clauses

National data protection authorities have the option of adopting standard contractual clauses for the purposes of Article 28(3) of Regulation 2016/679 (the GDPR) regarding data processor contracts. The Danish data protection authority has adopted standard contractual clauses regarding data processor agreements in order to ensure the protection of the data subjects’ rights and to make sure that data processors meet the requirements of the GDPR when concluding contracts in accordance with article 28(3) of the GDPR.

The standard contractual clauses have a specific legally binding effect – the use of these templates entail certain benefits for the businesses that use them. Other than making sure that the business meets the requirements of the GDPR, it also means that the Danish Data Protection Authority will not further review the business’ contract clauses during inspection visits.

When a national data protection authority adopts standard contractual clauses for the purposes of GDPR, the clauses must be drawn up in collaboration with other national data protection authorities in the EU to ensure a uniform application of the GDPR among the member states of the EU. The collaboration takes place through the European Data Protection Board (EDPB). The EDPB will review the standard contractual clauses before the national data protection authority can adopt them. The Danish Data Protection Authority published a template of the standard contractual clauses in February 2018 which would help businesses live up to the minimum requirements in the GDPR. The EDPB recognized the template in December 2019 after which the template could be characterized as a standard contractual clause.

 

Recognition in Norway and Sweden

After the recognition by the EDPB in December 2019, the data protection authorities in Norway and Sweden have declared that they will also recognize the Danish standard contractual clauses. Following this recognition, The Danish Data Protection Authority’s standard contractual clauses will have a legally binding effect in Sweden and Norway. As a result of this, businesses in Sweden and Norway can make use of the Danish contractual clauses as though the clauses were adopted by their own data protection authorities – with no concern of facing criticism from the Swedish and Norwegian data protection authorities in relation to the clauses.

 

NJORD’s remarks

It is not a requirement to use the Danish Data Protection Authority’s standard contractual clauses. Businesses can therefore still use their own contractual clauses/data processor agreements in accordance with article 28 (3). If the business makes use of their own contractual clauses, it is important to make sure they follow the minimum requirements in article 28 of the GDPR. The Data Protection Authority’s standard contractual clauses already meet the requirements of article 28(3) which is why businesses will benefit strongly from using these clauses instead of their own contractual clauses/data processor agreements.

 

Article provided by: Claas Thöle (NJORD Law Firm, Denmark)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.