UNITAS answers the most common questions here Datatilsynets standard contractual clauses as well as highlighting a number of changes.
The default contract terms replace the data processor agreement template
The standard contract provisions are a revised version of Datatilsynets data processor agreement template and is hereinafter referred to as the Provisions.
Overall, it must be made mandatory to the full extent that the Provisions are made if you want to achieve increased compliance compliance when entering into a data processing agreement. Gone is thus the old distinction between text that was to be agreed and text that could be agreed.
Am I sure if I apply the Provisions?
You would think you were on safe ground if you applied the Provisions. However, it is far from certain.
How much use of the Regulations actually reduces the risk of an audit depends on the extent to which you actually follow the Regulations.
The Data Protection Council, which has approved the Regulations, writes as follows (see underline):
"to the extent that organizations choose to make use of these standard provisions, the Danish SA, for example in connection with an inspection visit, will not examine these provisions in more detail. "
That is to say, in all its simplicity, that you are protected only to the extent that you have actually adopted the Regulations without changing them. If you simply filled them in, you will be protected.
However, if the Regulations are completed incorrectly, in an insufficient way or in a way that conflicts with other conditions in the Regulations, it must be expected that Datatilsynet will take an interest in the deviations and that the deviations will be sanctioned.
What do I do if I have applied Datatilsynets old template?
Datatilsynet has in that case called for headedness:
"Organisations which have based their data processing agreements on Datatilsynets original template, should not be concerned about whether they still comply with data protection rules.
Datatilsynet is aware of the large time and resource consumption that can be associated with negotiating concrete data processing agreements in place, and the authority has therefore decided to a large extent and as a starting point to continue to accept agreements that are based on the authority's original template, and which are entered into before today's date."
What if I don't apply the Provisions?
The provisions must be presumed to set a new standard for what a data processor agreement should contain. It therefore goes without saying that using data processing agreements that deviate from the Provisions will lead to an increased risk of being considered to have committed an infringement.
Can I use the provisions of my European group?
There is of course nothing to prevent that. Datatilsynet has thus just made an English version available.
At the same time, one might wonder whether the German or French data regulators will be interested in the Regulations if the Regulations have been applied throughout their European group, or whether the Regulations will also be reluctant to examine the Regulations' content further?
To this, one must reply that it must be that, as a rule, it is only the Danish Data Inspectorate that will resign from examining data processing agreements more closely.
However, it must also be acknowledged that European Data Protection Supervisors will at the same time respect the fact that the provisions have been created through the coherence mechanism of the Data Protection Regulation. As a member of the EEA, Norway has just that indicated, that the Regulations are applicable in Norway as they have been approved by the Data Protection Council.
All in all, it must therefore be assumed that the Danish as well as the European Data Protection Supervisors will fail to investigate the data processing agreements more closely if it can be found that a data controller or a data processor has generally decided that the provisions are applied and that it can be found that it is actually the case that they are used.
Ultimately, the idea of the Regulations has probably been to facilitate the supervisory work. The authorities probably do not want to spend a lot of time reviewing data processing agreements - rather finding that the regulations are applied and then spending time on other supervisory tasks.
Conversely, the Authority may have created some extra work for itself with the Regulations, because it is now clear if the Regulations are not applied, and then you have to read through the actual data processing agreements.
There are errors in the Danish version of the Regulations. What do I do?
Unfortunately, in the Danish version of the Regulations three errors have occurred.
Paragraph 7.7 does not say, "If the data processor does not meet ..", but instead, "If the sub-processor does not meet .."
In point 9.2 there is a reference to point 6.4. But point 6.4 does not exist. Reference should be made to paragraph 6.3 instead.
In paragraph 14.5, "data controller" is incorrectly listed as the name of both parties. Of course, "data processor" should have been in one place.
The first and last errors have not narrowed down in the English version of the Regulations.
It must be assumed that it is quite harmless to correct the errors. At the same time will Datatilsynet probably get them fixed as soon as possible.
What does it mean that the Regulations take precedence?
The provisions take precedence. This means that in the entire contractual basis you must ensure that it is only in the Regulations that something about data protection is stated.
If there is something about data protection elsewhere in the contractual basis that is not regulated by the Provisions, it will in principle mean that the Provisions are not properly applied, and then the protection afforded by the Provisions is lost.
However, the fact that the Regulations take precedence also means that, to a certain extent, they have been vaccinated against misuse of the Regulations, as long as the other terms of data protection in the contractual basis actually cover the same as the Regulations.
Should the data processor check if the data controller is doing something illegal?
It can be stated that the data processor borrows the processing basis from the data controller.
That is to say, in its simplicity, that the data processor should not have an independent basis for its processing of personal data on behalf of the data controller.
If you provide hosting to the public, you will “inherit” the treatment basis from the public institution that is the data controller. In most cases, it will be the basis of the exercise of authority. So far so good.
Paragraph 4.2 of the Provisions specifies that the data processor must immediately notify the data controller if, in the opinion of the data processor, an instruction is in contravention of the Data Protection Regulation, data protection provisions of other EU law or the national law of the Member States. It was also in the old standard data processor agreement.
However, as something new, it is included that the parties "should" anticipate and consider the consequences that may result from an illegal instruction given by the data controller and regulate this in an "agreement between the parties".
Since it says "should" and since the recommendation is inserted as a note, this must be understood as the fact that the parties can not take this situation into account and that this opt-out does not affect whether the Provisions have been properly applied.
If you want to follow the recommendation, you can simply start by stating that the data processor must not follow an instruction which the data processor thinks is illegal. Thereafter, the parties must jointly agree on the legality of the instruction.
However, this does not solve the overall problem, which addresses the question of whether the data processor should monitor the data controller's use of the data processor's services.
If the data controller uses the data processor to send marketing to persons who have not consented to it, and the data processor is aware of it, it must be assumed that the data processor must inform the data controller and possibly not send the marketing material. This probably only rarely occurs in practice.
How far does the data processor's investigative duty go? It is too early to answer, but at this point, our suggestion is that it is not necessary for the data processor to set up an actual monitoring system that somehow monitors the data controller's processing activities through the data processor's services more closely. However, case law can make us smarter.
Should both the data controller and the data processor prepare a risk assessment?
Yes.
Paragraphs 6.1 and 6.2 clarify that both the data controller and the data processor must prepare a risk assessment covering the activity the data processor must perform on behalf of the data controller.
The data processor's risk assessment must be done "independently of the data controller". However, the data controller must make the necessary information available to the data processor so that the data processor can fulfill its obligation.
Overall, it can be said that any data processing agreement entered into must be accompanied by at least two compliance documents: namely the data controller and the data processor's risk assessments.
Thus, if a number of data processing agreements have been entered into and, if applicable, the Provisions have been applied, but if there are no risk assessments, then there will be a breach of the Data Protection Regulation.
However, it must be possible for the data processor, in particular, to prepare a standard risk assessment covering the processing activities that a service offered entails.
What security measures should be mentioned?
Only supplementary security measures should be mentioned in Annex C.
Thus, in the light of its risk assessment, if the data controller finds that the data processor's existing security is sufficient, it will not be necessary to describe the relevant technical and organizational measures in Annex C. This, of course, assumes that the data controller has taken a qualified position on it. existing security of the data processor.
You must specify the specific legislation that affects treatment activity after termination
If the data processor is obliged to retain personal data after the service has ceased, point 11.2 of the data processing agreement must state what is the law binding the data processor.
The parties must separate the different treatment activities and complete Annex A for each treatment activity
The question then is when are there two different treatment activities that require a separate Annex A.
The data processors should probably get used to the fact that each service they offer must have its own Annex A with information on the specific processing of personal data.
At the same time, it must be assumed that many data controllers find it difficult to keep track of whether a service purchased purely under contract law must in fact be separated purely data protection law.
As much as possible, what personal data will be processed will be specified
Thus, it is not enough in Annex A to state that ordinary personal data is processed. It must be stated directly what personal data is being processed.
Don't just refer to the main deal
In appendix C, you must describe the object / instruction of the treatment. Here it is no longer - as is often seen - enough to refer to the main agreement.
Thus, it must be assumed that many IT service providers must be able to describe their service with a higher degree of precision than today, including, for example, using a data flow description or an account of the service's composition of treatment processes.
It must be specified how the data processor should assist
In point C.3 of Annex C, it shall be stated in detail how the data processor shall assist the data controller with respect to the rights of the data subjects. That is, it is not enough that the data processor should provide assistance. It must be clear how the data processor should assist.
The same applies to the data processor's assistance in relation to notification, notification, preparation of impact assessment and consultation with the competent supervisory authority.
The extent and extent of the aid obligation must be considered and described. Not all aid obligations will be relevant in all cases, including, for example, if no impact assessment is to be prepared.
In other words, the data processor has to sit down and think about how to work specifically with a request for insight, a request for deletion, a request for data portability, etc.
The same applies for example to a breach situation. What does the data processor do here to help the data controller?
Thereafter, a procedure must be described in how the data processor reacts specifically in the individual situations, after which reference can be made to this procedure in point C.3.
Do I need a Statement of Assurance from the data processor?
No.
It is not a requirement for the data processor to prepare an audit statement from an audit firm according to, for example, the ISAE 3000 standard. The data controller cannot require such a statement either.
Instead, the data controller must determine, prior to the conclusion of the Provisions, in the course of its risk assessment, how to supervise the data processor and possibly its sub-data processors.
There is, moreover, nothing new in this active supervisory obligation. It has also been applicable under the Personal Data Act.
The data controller must have access to the data processor's system for audits, including inspections
It is stated as something new that the data controller must in principle have access to the data processor's "systems".
This extension of the prerogative follows directly from the Data Protection Council's Statement for Datatilsynet. The Council thus believed that the supervisory right should be extended (section 46, page 14):
"Indeed, rights of the data controller in the framework of inspections and / or audits should not be limited to the facilities of the processor or sub-processors. The data controller should have access to the places where the processing is being carried out. This includes physical facilities as well as systems used for and related to processing. "
What exactly lies in this, and how it should play out in practice, we dare not guess, but there seems to be some far-reaching access that may prove to be uncomfortable for the data processor.
However, not many data controllers are likely to make use of the court if the data processor succeeds at all in accepting a terms of access to the "systems".