Adopted 1

Opinion14/2019onthedraftStandardContractualClausessubmittedbytheDKSA(Article28(8)GDPR)

Adoptedon9July2019

Adopted 2

1 CONTENTS

2 SummaryoftheFacts....................................................................................................................4

3 Assessment....................................................................................................................................5

3.1 GeneralreasoningoftheBoardregardingthesetofstandardcontractualclauses..............5

3.2 Analysisofthedraftstandardcontractualclauses................................................................5

3.2.1 GeneralremarkonthewholeSCCs................................................................................5

3.2.2 DataProcessingPreamble(Clause2oftheSCCs)..........................................................6

3.2.3 Therightsandobligationsofthedatacontroller(Clause3oftheSCCs).......................6

3.2.4 Thedataprocessoractsaccordingtoinstructions(Clause4oftheSCCs).....................7

3.2.5 Confidentiality(Clause5oftheSCCs)............................................................................7

3.2.6 Securityofprocessing(Clause6oftheSCCs).................................................................8

3.2.7 UseofSub-Processors(Clause7oftheSCCs)................................................................8

3.2.8 Transferofdatatothirdcountriesorinternationalorganisations(Clause8oftheSCCs) 10

3.2.9 Assistancetothedatacontroller(Clause9oftheSCCs)..............................................11

3.2.10 Notificationofpersonaldatabreach(Clause10oftheSCCs)......................................13

3.2.11 Erasureandreturnofdata(Clause11oftheSCCs).....................................................13

3.2.12 Inspectionandaudit(Clause12oftheSCCs)...............................................................14

3.2.13 Theparties’agreementonotherterms(Clause13oftheSCCs).................................15

3.2.14 Commencementandtermination(Clause14oftheSCCs)..........................................15

3.2.15 AppendixA...................................................................................................................15

4 Conclusions..................................................................................................................................15

5 FinalRemarks..............................................................................................................................15

Adopted 3

TheEuropeanDataProtectionBoard

HavingregardtoArticle28(8),Article63andArticle64(1)(d),(3)-(8)oftheRegulation2016/679/EUoftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(hereafter“GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, asamendedbytheDecisionoftheEEAjointCommitteeNo154/2018of6July2018,1

HavingregardtoArticle10and22ofitsRulesofProcedureof25May2018,

Whereas:

(1) Themain role of the European Data Protection Board (hereafter the Board) is to ensure theconsistentapplicationoftheGDPRthroughouttheEuropeanEconomicArea.Tothiseffect,itfollowsfromArticle64(1)(d)GDPRthattheBoardshallissueanopinionwhereasupervisoryauthority(SA)aimstodeterminestandardcontractualclauses(SCCs)pursuanttoArticle28(8)GDPR.Theaimofthisopinionisthereforetocontributetoaharmonisedapproachconcerningcrossborderprocessingorprocessingwhich canaffect the free flowofpersonaldataornaturalpersonacross theEuropeanEconomicAreaandtheconsistentimplementationoftheGDPR’sspecificprovisions.

(2) In the context of the relationship between a data controller and a data processor, or dataprocessors, for the processing of personal data, the GDPR establishes, in its Article 28, a set ofprovisions with respect to the setting up a specific contract between the parties involved andmandatoryprovisionsthatshouldbeincorporatedinit.(3)AccordingtoArticle28(3)GDPR,theprocessingbyadataprocessorshallbegovernedbyacontractorotherlegalactunderUnionorMemberStatelawthatisbindingontheprocessorwithregardtothecontroller,settingoutasetofspecificaspectstoregulatethecontractualrelationshipbetweentheparties.Theseincludethesubject-matteranddurationoftheprocessing,itsnatureandpurpose,thetypeofpersonaldataandcategoriesofdatasubjects,amongothers.(4)UnderArticle28(6)GDPR,withoutprejudicetoanindividualcontractbetweenthedatacontrollerandthedataprocessor,thecontractortheotherlegalactreferredinparagraphs(3)and(4)ofArticle28GDPRmaybebased,whollyorinpartonstandardcontractualclauses.Thesestandardcontractualclausesaretobeadoptedforthosemattersreferredtoinparagraphs(3)and(4).

(5)Furthermore,Article28(8)GDPRdeterminesthataSAmayadoptasetofstandardcontractualclausesinaccordancewiththeconsistencymechanismreferredtoinArticle63.ThatistomeanthatSAs are required to cooperate with other members of the Board and, where relevant, with theEuropean Commission through the consistencymechanism. SAs are required, pursuant to Article64(1)(d)tocommunicatetotheBoardanydraftdecisionaimingtodeterminestandardcontractualclausespursuant toArticle28(8). In this context, theBoard is required to issueanopinionon thematter,pursuanttoArticle64(3),whereithasnotalreadydoneso.

1Referencesto“MemberStates”madethroughoutthisopinionshouldbeunderstoodasreferencesto“EEAMemberStates”.

Adopted 4

(6)Adoptedstandardcontractualclausesconstituteasetofguaranteestobeusedasis,astheyareintended to protect data subjects and mitigate specific risks associated with the fundamentalprinciplesofdataprotection.

HASADOPTEDTHEOPINION:

2 SUMMARYOFTHEFACTS

1. ThecompetentsupervisoryauthorityofDenmarkhassubmitteditsdraftstandardcontractualclauses(hereafterSCCs)totheBoardviatheIMIsystemrequestinganopinionfromtheBoardpursuanttoArticle64(1)(d)foraconsistentapproachatUnionlevel.Thedecisiononthecompletenessofthefilewastakenonthe4thofApril2019.TheBoardSecretariatcirculatedthefiletoallmembersonbehalfoftheChaironthe4thofApril.

2. TheBoardhasreceivedthedraftSCCsfromtheDanishSA2alongwithaletterexplainingthestructureof the standard contractual clauses. These twodocumentswere provided by theDanish SA in anEnglishversion.TheBoardherebygivesitsopinionontheEnglishversionofthedocumentalthoughtheBoardnotesthattheSCCsisalsoavailableinDanishonthewebsiteoftheDanishSA.TheDanishSAshalltakeutmostaccountoftheopinionoftheBoard.

3. IncompliancewithArticle10(2)oftheBoardRulesofProcedure3,duetothecomplexityofthematterathand,theChairdecidedtoextendtheinitialadoptionperiodofeightweeksbyafurthersixweeks(untilthe9thofJuly2019).

2“DataProcessingagreement”isthetermusedbytheDanishSAinthedocumentprovidedtotheBoardtorefertoStandardContractualClauses.3Version2,aslastmodifiedandadoptedon23November2018.

Adopted 5

3 ASSESSMENT

3.1 GeneralreasoningoftheBoardregardingthesetofstandardcontractualclauses

4. AnysetofstandardcontractualclausessubmittedtotheBoardmustfurtherspecifytheprovisionsforeseen inArticle28GDPR.Theopinionof theBoardaimsatensuring consistencyanda correctapplicationofArticle28GDPRasregards thepresenteddraftclauses thatcouldserveasstandardcontractualclausesincompliancewithArticle28(8)GDPR.

5. TheBoardnotesthatthatthedocumentpresentedtotheBoardisadraftSCCscontainingtwoparts:

1) ageneralpartcontaininggeneralprovisionstobeusedasis;and

2) a specific part thathas tobe completedby thepartieswith regard to the specificprocessingwhichthecontractseekstogovern.

6. Inaddition,theDanishSAexplains, in its letter, thattheclausesof theSCCswhichare inboldaremandatory and constitute the minimum requirements of a contract under Article 28 GDPR. Theremainingclauses,althoughadvisabletoincludeinaSCCs,arevoluntaryandmaybeincludedintheSCCsatthediscretionoftheparties.

7. TheBoardisoftheopinionthatclauseswhichmerelyrestatetheprovisionsofArticle28(3)and(4)areinadequatetoconstitutestandardcontractualclauses.TheBoardhasthereforedecidedtoanalysethedocumentinitsentirety,includingtheappendices.IntheopinionoftheBoard,acontractunderArticle28GDPRshouldfurtherstipulateandclarifyhowtheprovisionsofArticle28(3)and(4)willbefulfilled.ItisinthislightthattheSCCssubmittedtotheBoardforopinionisanalysed.

8. WhenthisopinionremainssilentononeormoreclausesoftheSCCssubmittedbytheDanishSA,itmeansthattheBoardisnotaskingtheDanishSAtotakefurtheractionwithregardstothisspecificclause.Clauses6.4,9.3and14.3oftheDanishSCCsarenotrequiredbyarticle28andarerelatedtocommercialaspectsandtheBoardthereforedoesnotseetheseclausesasbeingpartoftheSCCs.ItisuptothePartieswhether,andhow,toenterintoagreement.

3.2 Analysisofthedraftstandardcontractualclauses

3.2.1 GeneralremarkonthewholeSCCs

9. The Board is of the opinion that if the SCCs only contained the sections in bold, itwould not besufficientasSCCs,sincesomeofthenon-boldsectionsrelatetomandatoryprovisionsunderArticle28(3)GDPR.Therefore, theBoardrecommendsthat theDanishSAavoid thisdistinctionbyclearlystating,eitherintheclausesorinaseparatedocumentinstructingontheuseoftheseclauses,thatallclausesoftheSCCstogetherwiththeappendicesshouldbeincludedintheSCCsconcludedbytheparties.

10. Inaddition,theBoardrecallsthatthepossibilitytouseStandardContractualClausesadoptedbyasupervisoryauthoritydonotpreventthepartiesfromaddingotherclausesoradditionalsafeguardsprovidedthattheydonotcontradict,directlyorindirectly,theadoptedstandardcontractualclausesor prejudice the fundamental rights or freedoms of the data subjects. Furthermore, where thestandard data protection clauses are modified, the parties will no longer be deemed to haveimplementedadoptedstandardcontractualclauses.

Adopted 6

11. TheBoardnotesthatthewordingofseveralclausesoftheSCCsarenotinlinewithtotherelevantprovisionsoftheGDPR.TheBoardhasindicatedthisinitsopinionbelowandrecommendsthattheDanishSAalignthewordingofthoseclauseswiththerelevantprovisionsoftheGDPR.

3.2.2 DataProcessingPreamble(Clause2oftheSCCs)

12. Regardingclause2.3oftheSCCs,theBoardisoftheopinionthattherelationshipbetweenthedataprocessingagreementandthe“masteragreement”couldbemoreflexible.Theremaybecaseswherethestandardcontractualclausesareadistinctdocumentpartofthemasteragreementandassuch,thereisnoneedfordistinctSCCs.Theremayalsobesituationswherethedataprocessinggovernedby theSCCs isnotpartofamasteragreement. TheBoard thereforeencourages theDanishSA toredraft this clause to reflect this flexibility. This specific changeneeds tobe implemented in eachoccasionwheretheSCCsreferstothemasteragreement.

13. Regardingclause2.4oftheSCCs,firstsentence,theBoardisoftheopinionthatinsomesituations,the data processing agreement might be terminated before the “main agreement”. The BoardrecommendsthattheDanishSAadds,attheendofthefirstsentence,thattheagreement“cannot,inprinciple,beterminatedseparately,exceptwherethedataprocessingendsbeforetheterminationofthemasteragreement,orwhereotherconditionsforseparateterminationofthestandardcontractualclauses,asspecifiedunderitsterminationclauses,aremet(seealsorecommendationonclause14.4below)”.

3.2.3 Therightsandobligationsofthedatacontroller(Clause3oftheSCCs)

14. Regardingclause3.1oftheSCCs,theBoardisoftheopinionthatthewording“shallberesponsibletotheoutsideworld”ismisleading.Indeed,itcouldbeunderstoodasplacingobligationstowardsdatasubjectsorotherstakeholderssolelyonthedatacontroller.TheBoardisoftheopinionthatthisclausewouldbeclearerifareferencetoArticle24GDPRanditsaccountabilityprincipleismade.TheBoardsubsequentlyrecommendsthattheDanishSAaddssuchareference.

15. Further,regardingtheclause3.1,itwouldbebettertorefer,ingeneral,totheapplicablelegislationindataprotectionmatter,whererelevant,insteadoftoaspecificact.TheBoardrecommendsthattheDanishSAamendthereferencetotheDataProtectionAct.Finally,theBoardsuggestsreplacingthewords“intheframeworkof”by“incompliancewith”.

ThereforetheBoardwouldsuggestthefollowingwordingasanexample:

“1.TheDataControllerisresponsibleforensuringthattheprocessingofpersonaldatatakesplaceincompliancewiththeGeneralDataProtectionRegulation(seeArticle24GDPR),theapplicableEUorMemberStatesdataprotectionprovisions()andthisstandardcontractualclauses.”

16. Regardingclause3.2oftheSCCS,theBoardisoftheopinionthatthisclauseisunclear,sincethedatacontrollerhasalreadydefinedthepurposesandmeansoftheprocessingactivitysubjecttotheSCCs.TheBoardrecommendstheDanishSAtomodifythisclauseasfollows:

17. “Thedatacontrollerhastherightandobligationtomakedecisionsaboutthepurposesandmeansoftheprocessingofpersonaldata”.

18. Regardingclause3.3oftheSCCs,theBoardisoftheopinionthatitsmeaningisunclear.TheBoardassumesthattheideabehindthisclauseistomakesurethattheprocessingactivitiesforwhichthedata controller wishes to engage a data processor have a legal basis. If it is the case, the BoardrecommendsthattheDanishSAclarifiestheclauseaccordingly.

Adopted 7

Finally,theBoardnotesthatinclause3.1oftheSCCsthewording“processingofpersonaldata”isused.Inclause3.3oftheSCCs,theword“processing”isused.TheBoardrecommendsthattheDanishSAusethesameterminologyinordertoavoidconfusion.

Asanexample,theBoardwouldthereforesuggestthefollowingwording:

“3.Thedatacontrollershallberesponsible,amongothers,forensuringthattheprocessingofpersonaldatawhichthedataprocessorisinstructedtoperformhasalegalbasis.”

3.2.4 Thedataprocessoractsaccordingtoinstructions(Clause4oftheSCCs)

19. Regarding clause4.1 of theSCCs, theBoard isof theopinion thata reference shouldbemade toappendices A and C as they further specify the data controller’s instructions. The Board is of theopinionthatadditionalinstructionscanbegivenbythedatacontrollerthroughoutthedurationofthecontractbutsuchinstructionsshallalwaysbedocumented.

Further, the Board notes that this clause is inspired by Article 28(3)(a) GDPR. The Board wouldthereforeencouragetheDanishSAtousethesamewordingasintheGDPR.

20. Regarding clause4.2of theSCCs, theBoard isof theopinionthat incaseofunlawful instructions,partiesshouldforeseeconsequencesandprovidesolutions.

3.2.5 Confidentiality(Clause5oftheSCCs)

21. TheBoardunderstandsclause5oftheSCCsasthespecificationofArticle28(3)(b)GDPRwhichstatesthat “theprocessor ensures that personsauthorised toprocess thepersonal datahave committedthemselvestoconfidentialityorareunderanappropriatestatutoryobligationofconfidentiality”.

22. Regardingclause5.1oftheSCCs,theword“currently”isunderstoodbytheBoardasthenecessitytokeepthestatusof“authorisedpersons”underreview.Further,itisuncleartotheBoardwhoisgivingtheauthorisationtothosepersonsinparticularsinceaccesstopersonaldatahastobeprovidedona“need-to-know”basis.

23. Regardingclause5.2oftheSCCs,theBoardisoftheopinionthatthisclauserelatestotheprincipleoftheaccesstothepersonaldataona“need-to-know”basis.TheBoardisoftheopinionthatclauses5.1and5.2oftheSCCscanbecombinedasfollows:

“It is the responsibility of the dataprocessor to grant access to persons under its authority to thepersonaldatabeingprocessedonbehalfofthedatacontrolleronlyonaneedtoknowbasisandwhohave committed themselves to confidentiality or are under an appropriate statutory obligation ofconfidentiality.Thelistofpersonstowhomaccesshasbeengrantedneedstobekeptunderperiodicreview.Onthebasisofthesaidreview,accesstopersonaldatacanbewithdrawnandinthiscase,personaldatacannotbeaccessibleanymoretothosepersons.”

24. Regarding clause 5.3 of the SCCs, the Board is of the opinion that it is covered by the suggestedwordingaboveandclause5.3canthereforebedeleted.

25. Regardingclause5.4oftheSCCs,theBoardrecommendsthattheDanishSAdeletethewording“beable to“ since the data processor has to demonstrate compliance with the confidentialityrequirements. Further, the Board encourages the Danish SA to adopt a broader wording whenreferencingto“employees”astheremaybeotherpersonsthanemployeesprocessingpersonaldata

Adopted 8

undertheauthorityoftheprocessor.Wordingsuchas“personundertheauthorityoftheprocessor”or“personsemployeddirectlyorindirectlyby”wouldbemoreappropriate.

3.2.6 Securityofprocessing(Clause6oftheSCCs)

26. Regardingclause6.1oftheSCCs,theBoardrecommendsthattheDanishSAreplacethewords“withconsiderationforthecurrentlevel”inthebeginningofthesentencebythewords“takingintoaccountthestateoftheart”,whichisthewordingofArticle32(1)GDPR.ThisspecificwordingisusedintheGDPRtomakesurethatthelevelofsecurityappliedtotheprocessingofpersonaldataisalwaysinlinewiththelatesttechnologicalevolutions.ThewordingsuggestedbytheDanishSAmakesreferencetoacurrentlevelwhichwillnotbethestateoftheartin2years.

27. Regardingclause6.2oftheSCCs,theBoardunderstandsthatthisprovisionrelatestoArticle28(3)(c)of the GDPR and that clause 9.2 relates to Article 28(3)(f) of the GDPR. However, the distinctionbetweenthetwoclausesandthedifferenttasksofthedataprocessorinnotveryclear.TheBoardrecallsthatArticle28(3)(f)GDPRstatesthatthedataprocessorassiststhedatacontrollerinensuringcompliance with the obligations under Articles 32 to 36 GDPR taking into account the nature ofprocessingandtheinformationavailabletothedataprocessor.

TheBoardisoftheopinionthatthe“riskassessment”referredtointhefirstsentenceofclause6.2hastobeperformedontheprocessingactivities,whichthedatacontrollerwillentrusttothedataprocessor.ThedatacontrollershouldthereforeprovidethedataprocessorwithalltheinformationnecessarysothatthedataprocessorcancomplywithArticle28(3)(c)and(f)oftheGDPR.TheBoardwouldliketoemphasizethatthisdoesnotexemptthedatacontrollerfromtheresponsibilitytobeincompliancewithitsownobligationsunderArticle25,32or35-36GDPR.

Inaddition,theendofthefirstsentenceofclause6.2needstoberedraftedinordertobemoreinlinewith clause9.2 and appendixC2 as it is not clear for theBoardhow thewording “thereafterimplementmeasurestocountertheidentifiedrisk”inclause6.2isrelatedtoclause9.2andappendixC2.TheBoardhasnoticedthatclause9.2.aandappendixC2addressthetopicofriskassessmentbutnotinthesamewayasclause6.2.Underclause6.2,theriskassessmentistobeperformedbythedataprocessor,whereasunderclause9.2andappendixC2,theriskassessmentistobeperformedbythedatacontroller.AppendixC2furthersetsoutthatthedataprocessorshallimplementmeasuresthathavebeenagreedwiththedatacontroller.

RegardingappendixC2,theBoardisoftheopinionthatthewording“Thelevelofsecurityshallreflect”couldbechangedinto“Thelevelofsecurityshalltakeintoaccount”.Regardingtheelementstobetakenintoaccount,Articles32(1)and32(2)GDPRmentionsthenature,scope,contextandpurposesoftheprocessingactivityaswellastheriskfortherightsandfreedomsofnaturalpersons.Thesecouldbeelementstomentioninordertoclarifywhatisexpectedby“Describeelementsthatareessentialstothelevelofsecurity”.

Therefore,theBoardrecommendsthattheDanishSAclarifiesandalignsclauses6.2,9.2andAppendixC2.

3.2.7 UseofSub-Processors(Clause7oftheSCCs)

28. Regardingclauses7.2and7.5of theSCCs, theBoardrecommendsthat theDanishSAreplacetheword“consent”by“authorisation”,asthisisthewordingofArticle28(2)GDPR.

Adopted 9

Furthermore,theBoardisoftheopinionthatitwouldbemorepracticaltocreateoptionsinthisclauseasfollows:

“2.Thedataprocessorshallthereforenotengageanotherprocessor(sub-processor)forthefulfilmentofthesestandardcontractualclauseswithouttheprior[Choice1]specificauthorisationofthedatacontroller/[Choice2]generalwrittenauthorisationofthedatacontroller.”

29. Regardingclauses7.3and7.4oftheSCCs,theBoardfindsitimportanttoaddthefactthatthelistofsub-processorswhichareacceptedbythedatacontrolleratthetimeofthesignatureofthecontractshouldbeincludedasanappendixtotheSCCs,beitonthebasisofageneralauthorisationoraspecificone. The purpose of this list is to ensure that even in cases of a general authorization, the datacontrollerremains informedaboutthe listofsub-processorsaswellasfurtherchanges.TheBoardrecommendsthattheSCCclarifiesthatthelistofsub-processorsinappendixB2hastobeprovidedbothincasesofgeneralandspecificpriorauthorisation.

Further, inappendixB1of theSCCs, thereareexamplesofclauses that thepartiescanchoose in-between.TheBoardconsidersthatitwould,however,bebettertoincludedsuchclausesintheSCCsitselfinsteadofintheappendices.

Finally,asregardsthegeneralpriorauthorisation,theBoardisoftheopinionthatanyconditionsthatthedataprocessormightset for thedatacontroller toobject tochangesofsub-processor(s)mustallowthedatacontrollerto,inpractice,exerciseitsfreedomofchoiceandenablethedatacontrollerto remain incontrolover thepersonaldata.This impliesalso that thedatacontrollershouldhavesufficienttimetoobjecttosuchachange.

TheBoardrecommendsthattheDanishSAredraftclause7.3tocreateoptionswithintheclausethatcanbechosenbythepartieswithintheSCCsandtoincorporatethecontentofclauses7.4and7.5within7.3.

Clause7.3couldbedraftedasfollow:

“3. In case of general written authorisation, the data processor shall inform in writing the datacontrollerofanyintendedchangesconcerningtheadditionorreplacementofsub-processorsinatleast[specifytimeperiod],andtherebygivingthedatacontrollertheopportunitytoobjecttosuchchangesprior to theengagementofanysub-processor. Longer timeperiodsofpriornotice for specific sub-processingservicescanbeprovidedintheAppendixB.Thelistofsub-processorsalreadyacceptedbythedatacontrollercanbefindinappendixB.”

Incaseofspecificpriorauthorisation,thedataprocessorshallengagesub-processorsolelywiththeprior authorisation of the data controller. The data processor shall submit the request for specificauthorisationatleast[specifytimeperiod]priortotheengagementofanysub-processor.Thelistofsub-processorsalreadyacceptedbythedatacontrollercanbefoundinappendixB.”

AstheoptioniscreatedinthedraftSCCsitself,appendixB1canbedeleted.Inaddition,theBoardrecommendsthattheDanishSAaddsapossibilitytohavealongerperiodofpriornoticeinappendixB.

30. Regardingclause7.6oftheSCCs,theBoardunderstandsthisclauseasareferencetoArticle28(4)GDPR.Aspreviouslymentioned,itwouldbebettertorefertotheexactwordingofthetextoftheGDPRtoavoidanyconfusion.

Regardingclause7.8oftheSCCs,theBoardwould liketounderlinethefactthat itscontent isnotrequiredbyArticle28GDPR.TheBoardisoftheopinionthatthewords“thirdparty”areunclear.If

Adopted 10

theintentionistocreatea“thirdpartybeneficiaryright”forthedatacontrollerwithinthecontractbetweenthedataprocessorandthesub-processor,thisshouldbespecified.

As such, theBoard sees an added value inhaving such a clause as part of a standard contractualclauses.Indeed,itpreservestherightsofthedatacontroller,includingliability.Forthisreason,theBoardencouragestheDanishSAtomakeitclearerthattheintentionistocreateathirdbeneficiaryrightforthedatacontroller.Thiswouldimplyforinstancethatthesub-processorwouldaccepttobeliabletothedatacontrollerincaseoftheinitialdataprocessorisbankruptorthepossibilityforthecontrollertodirectlyorderthesub-processortoreturnthedata.

31. Regardingclause7.9oftheSCCs,theBoardisoftheopinionthatitisimportanttomakeareferencetotherightsofthedatasubject.Thisreferencecanbemadeasfollows:“ThisdoesnotaffecttherightsofthedatasubjectsundertheGDPR-inparticularthoseforeseeninArticles79and82GDPR-againstthedatacontrollerandthedataprocessor,includingthesub-processor.”

3.2.8 Transferofdatatothirdcountriesorinternationalorganisations(Clause8oftheSCCs)

32. Regardingthetitleoftheclause,theBoardisoftheopinionthatitshouldbeclarifiedthatthewords“third countries” refers to countries outside of the EEA and not outside of Denmark. The BoardencouragestheDanishSAtoclarifythis.

33. TheBoardisoftheopinionthatsection8shouldclarifythatthedatacontrollerhastodecidewhetheratransferisallowedunderthecontractorifitshouldbeprohibited.TheBoardrecommendstotheDanishSAthatthisismadeclearinthestandardcontractualclausesandencouragesittospecifythisinappendixC5.

34. Regardingclause8.1oftheSCCs,theBoardnotesthattheDanishSAhasaddedparenthesesaftertheword“transfer”asfollowing“(assignment,disclosureandinternaluse)”.TheBoardwonderswhetherthisaimsatgivingadefinitionoftheword“transfer”.Ifthisistheintention,theBoardisoftheopinionthatasthereisnosuchdefinitionofthenotionoftransferintheGDPR,itisbettertodeletethesetermsinparentheses.

Finally,theBoardrecommendsthattheDanishSAstartitsclause8.1byadding“IncompliancewithChapterVGDPR...”Indeed,theBoardrecallsthatforanytransferoutsideoftheEU,allprovisionsofChapterVGDPRneedtobecompliedwith.Itshouldbeclarifiedunderclause8thattheseSCCscannotbeunderstoodasSCCsfulfillingtherequirementsofArt.46GDPRandthereforecannotbeusedasatooltocarryoutinternationaltransferswithinthemeaningofChapterVoftheGDPR.Thiscouldbeinadditionreflectedinthetitleofclause8,whichotherwisemaygivetheimpressionthattransferscanbecarriedoutonthebasisoftheseSCCs.

35. Regardingclause8.2oftheSCCs,theBoardhasseveralremarks.

First, in the beginning of the sentence, the Board encourages the Danish SA to add the word“documented” before “instructions” to ensure legal certainty and alignment with Article 28(3)(a)GDPRandtochangetheword“approval”to“authorisation”inlinewiththetermsusedunderArticle28 GDPR. The beginning of the sentence should be “Without the documented instructions orauthorisationofthedatacontroller”.

Second,onclause8.2.a,theword“disclose”mightcreateconfusionwiththenotionoftransfer. Inaddition,personaldatacanbetransferredtoadatacontroller(asalreadymentionedintheclause)butalsotoadataprocessorinathirdcountry.TheBoardrecommendsthattheDanishSAdraftsclause

Adopted 11

8.2.aasfollows:“transferpersonaldatatoadatacontrolleroradataprocessorinathirdcountryorinaninternationalorganisation”.

Third,onclause8.2.b,theword“assign”mightalsocreateconfusionwiththenotionoftransfer.TheBoardrecommendsthatDanishSAreplacetheword“assign”bytheword“transfer”.

Finally,onclause8.2.c, it isuncleartotheBoardwhatthemeaningoftheword“divisions” is.TheBoardencouragestheDanishSAtoreplaceclause8.2.cbythe followingsentence:“havethedataprocessedbytheDataProcessoroutsidetheEEA”.

36. Regardingclause8.3oftheSCCs,theBoardunderstandsthatitisawaytohavetheinstructionsofthedatacontrollerdocumentedintheappendixC5.Asalreadystatedinthebeginningofitsopinion,theBoardseestheappendicesasmandatory.However,theBoardisoftheopinionthatmentioningthechoiceofthetoolfortransfercouldhaveabenefit,inadditiontotheinstructionsasitcontributesdemonstrating compliance of the partieswith Chapter V of theGDPR. The Board encourages theDanishSAtoamendclause8.3asfollow:

37. “Thedatacontroller’sinstructionsregardingtransfersofpersonaldatatoathirdcountryincluding,ifapplicable,thetransfertoolonwhichtheyarebased,shallbesetoutinappendixC5ofthesestandardcontractualclauses.Thesameprocedureshallbeappliedfortheapprovaloftransfersofpersonaldatatoathirdcountry.”

3.2.9 Assistancetothedatacontroller(Clause9oftheSCCs)

38. Clause9.1oftheSCCsreflectsthecontentofArticle28(3)(e)oftheGDPR.Theobligationofthedataprocessorunderthisclauseistoassistthedatacontrollertorespondtorequestsforexercisingdatasubject’srights.Theassistancecantakevariousforms.TheBoardisoftheopinionthattheSCCsneedstogivedetailsonthemannerinwhichtheprocessorisrequiredtoprovideassistanceandnotonlythelistofpossiblerightstobeexercised.

Notably,theSCCsshouldsetoutthestepstobetakenbythedataprocessorincasethelatterdirectlyreceivesarequestfromadatasubjectrelatingtotheexerciseofhis/herrights.Forexample,ithastobeclearintheagreementinsuchacaseastowhetherthedataprocessorisnotallowedtohaveanycontactwiththedatasubjects,andhowtheprocessorneedstoinformthecontrollerwhenitcomestodatasubjects’rights(e.g.forwardingtherequesttothecontrollerwithinaspecifiedtimeframeorother appropriatemeasures). In this case, theassistance isprovidedonly throughanexchangeofinformationbetweenthedatacontrollerandthedataprocessor.Anotherscenariocouldbethatthedata controller instructs the data processor to answer to data subject’s requests according toinstructions given. Another option could be that the data processor would make the technicalimplementations instructed by the data controller with respect to data subject rights. The Boardrecommends that theDanishSA reflecton thepossibility to include the following sentenceunderclause9.1oftheSCCs:

“Thepartiesshalldefine inappendixCtheappropriatetechnicalandorganisationalmeasureswithwhichthedataprocessorisrequiredtoassistthedatacontrolleraswellasthescopeandtheextentoftheassistancerequired.Thisappliestotheobligationsforeseeninclauses9.1and9.2ofthestandardcontractualclauses.”

Anewpoint in appendix C needs to be created in order to have the technical andorganisationalmeasuresspecified.

Adopted 12

Further,onclause9.1.aand9.1.btheBoardrecommendsthattheDanishSAusethewords“righttobe informed” instead of theword “notification”, as follow: “Right to be informedwhen collectingpersonal data from the data subject” - “Right to be informedwhen personal data have not beenobtainedfromthedatasubject”.

Regardingclause9.1.j, theBoardwouldprefer tohave theexactwordingof theGDPR.TheBoardthereforeencouragestheDanishSAtoredraftitasfollow“therightnottobesubjecttoadecisionsolelybasedonautomatedprocessing,includingprofiling”.

39. Clause 9.2 of the SCCs reflects the content of Article 28(3)(f) of the GDPR. Hence the Boardrecommendsreplacing“datamadeavailable”by“informationavailable”.Theobligationofthedataprocessorunderthisclauseistoassistthedatacontrollerforthefulfilmentofthelegaldutiesrelatingtothesecurity,thedataprotectionimpactassessmentandpriorconsultationofSAs.Hereagain,theBoardisoftheopinionthattheSCCsneedstogivedetailsonthemannerinwhichthedataprocessorisrequiredtoprovideassistancetothedatacontroller.

Asalreadystatedinparagraph27ofthisopinion,theDanishSAshouldclarifytherelationshipbetweenclause9.2andclause6onsecurityoftheprocessing.TheBoardunderstandstherelationshipbetweenthosetwoclausesasreferringtoArticle28(3)(c)oftheGDPRforclause6andtoArticle28(3)(f)forclause9.2.Indeed,clause9.2.aandtoacertainextentclause9.2.bareobligationsthatneedtobefulfilled inallcasesbythedataprocessorsubject totheGDPR.This followsfromArticle32(1)andArticle33(2)GDPR.Forclause9.2.atobekept,somefurtheralignmentswithArticle32(1)GDPRwouldberequired.TheBoardrecommendstotheDanishSAtomakeclearthattheriskwouldbetherisk“fortherightsandfreedomsofnaturalpersons”.Furthermore,notonlyisthenatureoftheprocessingtobetakenintoaccount,butalsothestateoftheart,thecostsofimplementation,thescope,thecontextandthepurposesoftheprocessing.TheBoardunderstandsthatthepartiesshouldspecifyinAppendixC2theminimumlevelofsecurityandmeasurestobeimplementedbythedataprocessor.TheBoardconsidersitimportantthatdetailsonassistancetothedatacontrollerasregardssecurityoftheprocessingbeincludedintheinstructionsunderappendixC2.

TheBoardhasprovidedadraftingsuggestioncoveringclauses9.1and9.2above.

On clause 9.2.b, the Board is of the opinion that any reference to a specific national supervisoryauthorityinamodelcontractshouldbeavoided.Inaddition,thewords“report”shouldbereplacedby“notify”and“discovering”shouldbereplacedby“afterbecomingaware”tobeinlinewithArticle33(2)GDPR.

Clause9.2.bcouldbedraftedasfollow:“b.itsobligation,unlessthepersonaldatabreachisunlikelytoresultinarisktotherightsandfreedomsofnaturalpersons,toreportpersonaldatabreachestothecompetentsupervisoryauthority,[PLEASEINDICATEthecompetentSA],withoutunduedelayandwherefeasible,nolaterthan72hoursafterhavingbecomeawareofsuchbreach”.

Onclause9.2.e,hereagain,theBoardisoftheopinionthatthereferencetotheDanishSAshouldberemoved. Clause 9.2.e could be drafted as follow: “e. the obligation to consult the competentsupervisory authority, [PLEASE INDICATE the competent SA], prior to processing where a dataprotectionimpactassessmentindicatesthattheprocessingwouldresultinahighriskintheabsenceofmeasurestakenbytheDataControllertomitigatetherisk”.

TheBoardconsidersimportanttohavethisclausefurtherdetailedinappendixCorDtoensurethatthepartiesmakearrangementsonthemannerthisassistancewillbeprovidedinpractice.

Adopted 13

3.2.10 Notificationofpersonaldatabreach(Clause10oftheSCCs)

40. Regardingclause10.1oftheSCCs,theBoard,asalreadystated,favoursthewordingoftheGDPRinordertoavoidanyconfusion.Inthisclause,theword“discovery”shouldbechangedinto“afterhavingbecome aware”. In addition, the Board encourages the Danish SA to add theword “any” beforepersonaldatabreachinordertomakeclearthatitisnotuptothedataprocessortoassesswhetheror not the data breach has to be notified to the competent SA. This is the data controller’sresponsibility4.

Thesentencecouldbechangedasfollow:“1.Incaseofanypersonaldatabreach,thedataprocessoror sub-processor shall, without undue delay after having become aware of it, notify the datacontroller.”

TheBoardrecommendsdeleting“atthedataprocessor’sfacilitiesorasub-processor’sfacilities”whichwouldlimitthenotificationobligationtocaseswherethebreachoccursinthesefacilities,whereassuchlimitationdoesnotstemfromtheGDPR.

Regarding the secondpartof clause10.1, theBoard isof theopinion that it canbecompletedasfollows:

“Thedataprocessor’snotificationtothedatacontrollershall,ifpossible,takeplacewith-in[numberof hours] after the data processor has become aware of the breach in order to enable the datacontrollertocomplywithhisobligationtoreportpersonaldatabreachesalreadymentionedinclause9.2.b.“

41. Regardingclause10.2oftheSCCs,theBoardisoftheopinionthatthewords“takingintoaccountthenatureoftheprocessingandinformationavailable”couldbefurtherspecifiedinappendixDinordertobemoreconcreteandtailor-made.Thefollowingwordingcouldbeaddedinanewparagraphattheendofclause10.2:

“ThepartiesshalldefineinappendixDtheelementstobeprovidedbythedataprocessortoassistthedatacontrollerinthereportingofabreachtothesupervisoryauthority.”

Inaddition,inthebeginningofthesecondsentenceofclause10.2,thedraftSCCsstates“Thismaymean-onthebasisoftheinformationavailabletotheProcessor-(...)”.TheBoardisoftheopinionthat-forthesakeoflegalcertainty-itisbettertoavoidthiskindofformulation.TheBoardencouragestheDanishSAtoamendthiswordingbydeletingtheword“may”.

3.2.11 Erasureandreturnofdata(Clause11oftheSCCs)

42. Regardingclause11oftheSCCs,theBoardisoftheopinionthatitwouldbemorepracticaltocreatearealoptioninthisclause.TheBoardencouragestheDanishSAtoamendthisclauseinordertocreatetwoconcreteoptionstobechosenbytheDataController.

Theclausecouldbedraftedasfollows:

4SeeGuidelinesondatabreachnotification(p.13)“Itshouldbenotedthattheprocessordoesnotneedtofirstassessthelikelihoodofriskarisingfromabreachbeforenotifyingthecontroller;itisthecontrollerthatmustmakethisassessmentonbecomingawareofthebreach.Theprocessorjustneedstoestablishwhetherabreachhasoccurredandthennotifythecontroller.”

Adopted 14

“Onterminationoftheprocessingservices,thedataprocessorshallbeunderobligation[Option1]todeleteallpersonaldataprocessedonbehalfofthedatacontroller[Option2]toreturnallthepersonaldatatotheDataControllerandtoeraseexistingcopies.

[Optional]ThefollowingEUorMemberstateslawapplicabletotheprocessorrequiresstorageofthepersonal data after the termination of the processing services: ............................ The processorcommits toexclusivelyprocess thedata for thepurposesprovidedby this lawandunder the strictapplicableconditions.“

More information could be provided in the appendix C3, including the possibility for the datacontrollertomodifytheoptionchosenatthesignatureofthecontract.This,asaconsequence,affectsthecontentofappendixC3.TheBoardencouragestheDanishSAtobetterdistinguishthestorageperiod from the erasure procedures under appendix C3 and to reflect the possibility for the datacontrollertochangethechoicemade.

Finally, the Board is of the opinion that thewords “processing services” need to be specified forinstanceby“aftertheendoftheprovisionofservicesrelatingtoprocessing”.ThiscanbedoneintheappendixD.

3.2.12 Inspectionandaudit(Clause12oftheSCCs)

43. Clause12.1oftheSCCsreflectsthecontentofArticle28(3)(h)oftheGDPR.TheBoardrecommendstousethesameterminologyofparagraph1“audits,includinginspections”withinparagraphs2and3whichonlyrefertoinspection.

44. Regardingclause12.3oftheSCCs,theBoardunderstandsitascoveringauditandinspectionstowardsthesub-processor.InaccordancewithArticle28(4)oftheGDPR,thesameobligationsassetoutinthecontractoranotherlegalactbetweenthecontrollerandtheprocessorshallbeimposedonthesub-processor.ThisincludestheobligationunderArt.28(3)(h)toallowforandcontributetoauditsbythedatacontrolleroranotherauditormandatedbythedatacontroller.Thedraftingofclause12.3seemsto limit this rightof thedatacontrollervis-a-vis thesub-processor (“ifapplicable”and“performedthroughtheDataprocessor”).TheBoardrecommendsthattheDanishSAredraftsclause12.3inordertobeinfullcompliancewiththeGDPR.Thiscanbedonebymergingclauses12.2and12.3asfollows:“Proceduresapplicabletothedatacontroller’saudits,includinginspectionsofthedataprocessorandthedatasub-processorarespecifiedinappendicesC6andC7tothesestandardcontractualclauses.”

45. Regarding appendices C6 and C7, the Board recommends theDanish SA to change the followingsentence “The inspection report shall without delay be submitted to the Data Controller forinformationpurposes”tomakeitclearthatthecontrollerisbeabletocontestthescope,methodologyandtheresultsoftheinspection.Thecontrollershouldalsobeabletorequestmeasurestobetakenfollowingtheresultsoftheinspection.

46. Inaddition,thereferenceisappendixC6to“DataProcessor’sfacilities”andC7to“Sub-Processor’sfacilities”needtobebroaden.Indeed,rightsofthedatacontrollerintheframeworkofinspectionsand/or audit should not be limited to the facilities of the processor or sub-processors. The datacontrollershouldhaveaccesstotheplaceswheretheprocessingisbeingcarriedout.Thisincludesphysicalfacilitiesaswellassystemsusedforandrelatedtotheprocessing.

Adopted 15

3.2.13 Theparties’agreementonotherterms(Clause13oftheSCCs)

47. Regardingclause13of theSCCs, theBoardrecommendsthattheDanishSAbear inmindthat ifaparagraphspecifyingliability,governinglaw,jurisdictionorothertermsisincluded,itcannotleadtoany contradictionwith the relevant provisions of the GDPR or undermine the level of protectionofferedbytheGDPRorthecontract.

3.2.14 Commencementandtermination(Clause14oftheSCCs)

48. Regarding clause 14.4 of the SCCs, the Board is of the opinion that a specific provision on theterminationofthecontractmightalsoberelevantfortheSCCs.AsthepositionoftheBoardisthattherelationshipbetweenthedataprocessingagreementandthemasteragreementshouldbemoreflexible,theBoardrecommendsthattheDanishSAincludesaprovisionontheterminationwithintheSCCs.

49. Regardingclause14.5oftheSCCs,theBoardisoftheopinionthatthisclausemightbeincontradictionwithclauses2.4or14.4.TheBoardrecommendsthattheDanishSAclarifiestherelationshipbetweenthosethreeclauses.

3.2.15 AppendixA

50. AppendixAaimsatgivingdetailsabouttheprocessingactivitiesundertakenbythedataprocessoronbehalfofthedatacontroller.Tothisend,theBoardrecommendsthatthepurposeandthenatureoftheprocessingaredescribed,aswellasthetypeofpersonaldataprocessed,thecategoriesofdatasubjectsconcernedandthedurationoftheprocessing.Thisdescriptionshouldbemadeinthemostdetailed possiblemanner, and, in any circumstance, the types of personal datamust be specifiedfurtherthanmerely“personaldataasdefinedinarticle4(1)”orstatingwhichcategory(Article6,9or10)ofpersonaldataissubjecttoprocessing.TheBoardisoftheopinionthatitshouldbeclearthatincase of several processing activities, these elements have to be completed for each of them. Inaddition, the Board is not convinced by the two first examples, as it is difficult to distinguish thepurposetothenatureoftheprocessing.

4 CONCLUSIONS

51. TheBoardverymuchwelcomestheDanishinitiativetosubmittheirdraftSCCsforanopinionwhichaimatcontributingtoanharmonizedimplementationoftheGDPR.

52. TheBoardisoftheopinionthatthedraftSCCsoftheDanishSupervisoryAuthoritysubmittedforanopinionneed further adjustments inorder tobe consideredas standard contractual clauses. TheBoard made several recommendations in its opinion here above. If all recommendations areimplemented,theDanishSAwillbeabletousethisdraftagreementasStandardContractualClausespursuanttoarticle28.8GDPRwithoutanyneedforasubsequentadoptionfromtheEUCommission.

5 FINALREMARKS

53. ThisopinionisaddressedtoDatatilsynet(theDanishSupervisoryAuthority)andwillbemadepublicpursuanttoArticle64(5b)GDPR.

Adopted 16

54. AccordingtoArticle64(7)and(8)GDPR,thesupervisoryauthorityshallcommunicatetotheChairbyelectronicmeanswithintwoweeksafterreceivingtheopinion,whetheritwillamendormaintainitsdraftSCCs.Within thesameperiod, it shallprovide theamendeddraftSCCs5orwhere itdoesnotintendtofollowtheopinionoftheBoard,itshallprovidetherelevantgroundsforwhichitdoesnotintendtofollowthisopinion,inwholeorinpart.

FortheEuropeanDataProtectionBoard

TheChair

(AndreaJelinek)

5Thesupervisoryauthority shall communicate the finaldecision to theBoard for inclusion in the registerofdecisions,whichhavebeensubjecttotheconsistencymechanism,inaccordancewitharticle70(1)(y)GDPR.