EDPB published standard clauses for (sub-)processing activity

The European Data Protection Board (“EDPB”) delivered a positive opinion on the Article 28 Standard Clauses  adopted on 10 December 2019 by the Danish Supervisory Authority. The clauses intend to serve as a standard processing agreement between controllers and processors for the purpose of Article 28.3 of Regulation 2016/679 (GDPR). They contain sections to be filled in by the parties (e.g. controller and processor), options to be selected (e.g. general or specific authorisation to use sub-processors) and appendices to be completed (e.g. information about processing, list of sub-processors, instructions for processing) so that they can be adapted to the circumstances at hand. 

The EDPB noted that the Danish Supervisory Authority will be able to refer to the Standard Clauses as a model of processing agreement pursuant to Article 28.8 of the GDPR. Parties may still add other clauses provided that they do not contradict the Standard Clauses or prejudice the rights of the data subjects, but in case of modification, the parties will not be deemed to have implemented a standard agreement adopted by a Supervisory Authority.

The Standard Clauses adopted by the Danish Supervisory Authority must not be confused with the current European Commission’s standard contractual clauses or the expected standard data protection clauses of Article 46 of the GDPR covering personal data transfers and cannot thus be relied on as an appropriate safeguard for transferring personal data to processors located outside the European Economic Area. Therefore, such transfers still require compliance with Chapter V of the GDPR in addition to the use of the Danish Standard Clauses.

This may also interest you :

• Data Protection - Consequences of a no-deal Brexit on personal data transfers to the UK
• Schrems II case: EU to U.S. transfers of personal data challenged
• EU Entities can continue to transfer personal data within the Privacy Shield framework