First standard contractual clauses for contracts between controllers and processors (art. 28 GDPR) at the initiative of DK SA published in EDPB register

11 December 2019

Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
 
The standard processor agreement has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organisations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.
 
The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.
Nevertheless, the clauses are an instrument to be used "as is", i.e. the parties who enter into a contract with a modified version of the clauses are not deemed to have employed the adopted SCCs. On the contrary, to the extent that organizations choose to make use of these standard provisions, the Danish SA, for example in connection with an inspection visit, will not examine these provisions in more detail.