Article 28(8) of the General Data Protection Regulation (GDPR) sets the option for national supervisory authority to issue the standard contractual clauses for the matters regarding data processing agreements between data controllers and data processors. In the event a supervisory authority decides to undertake such a task, it is required to compile a draft of the decision on the adoption of standard contractual clauses, and thereupon notify the European Data Protection Board (EDPB) on the fact. Subsequently, the EDPB provides its opinion on the matter. The purpose of this opinion is to contribute to a harmonised approach regarding cross border processing or processing that might affect the free flow of personal data and the consistent application of the GDPR.
It is necessary to note that standard contractual clauses from Article 28 of the GDPR, which serve the purpose of concluding the data processing agreement, differ from the standard contractual clauses from Article 46 of the GDPR, which data controller and data processor can lay down as appropriate safeguards for the data transfer outside the EU.
The Danish supervisory authority Datatilsynet used the option to provide standard contractual clauses for the data processing agreements, and on the 9th of July 2019, the EDPB provided its opinion, as well.
In this opinion, the EDPB notes that any set of standard contractual clauses submitted to the EDPB must further expand on provisions set by the GDPR (primarily Article 28 of the GDPR), and use exact terms used in the GDPR (for example: instruct, document, notify, transfer, state of art). The opinion states that suggested clauses that simply repeat or in some other way express provisions set by the GDPR are not formulations appropriate to constitute standard contractual clauses. Data processing agreement should further specify and clarify the way in which the GDPR provisions should be implemented (e.g. expand on the deadlines, data controller’s and data processor’s obligations, obligations regarding engaging sub-processors, and the transfer of personal data outside the EU).
Pursuant to Article 28(6) of the GDPR, the use of standard contractual clauses that were adopted by the national supervisory authority does not preclude contracting parties to utilise other clauses or additional measures, provided they do not contradict, directly or indirectly, the accepted contractual clauses or jeopardise basic rights and freedoms of data subjects.
The opinion of the EDPB also provided the following remarks regarding data processing agreements:
1) The data processing agreement shall make reference, depending on the circumstances, to the master agreement between the contracting parties (e.g. declares that the master agreement has or has not been concluded, establishes whether the data processing agreement can be terminated independently of the master agreement).
2) The data controller can give further instructions to the data processor outside the data processing agreement, but those instructions must be documented.
3) One of the two choices shall be agreed upon within the data processing agreement – general authorisation to engage sub-processors or specific engagement of the subprocessor only through a written authorisation. Also, an indication of the deadline for notifying the data controller of the engagement of the subprocessor is recommended.
4) Data processing agreements shall include the obligation of the data processor to notify the data controller on the personal data breach, and the deadline for such notification.
5) Types of personal data that are processed within the scope of the agreement shall be specified as detailed as possible. It does not suffice to refer to a certain provision within the master agreement or the GDPR, or to state the category of personal data (e.g. instead of just mentioning that special categories of personal data will been processed, it is recommended to specify types of personal data, such as professional injuries, political opinions, and religious beliefs).