EN
Technology

Companies can apply the Danish Standard Data Processing Agreement in Norway and Sweden

logo
Legal news
calendar 20 May 2020
globus Denmark, Sweden, Norway

Following an opinion issued by the European Data Protection Board, the Danish Data Protection Agency finalized its Standard Data Processing Agreement in 2019 which aims to help companies comply with the minimum requirements under the GDPR. The Norwegian and Swedish supervisory authorities have now confirmed that companies can also use the Danish Standard Data Processing Agreement in Norway and Sweden going forward.

With the entry into force of the GDPR, the requirement to conclude data processing agreements was, among other things, introduced. This obligation illustratively applies when companies use external service providers or business partners to process personal data on its behalf. Data processing agreements must comply with a series of requirements, including information on the duration and purpose of the processing activity as well as the type of personal data being processed.

Just before the GDPR entered into force, the Danish Data Protection Agency issued a draft Standard Data Processing Agreement which subsequently was reviewed by the European Data Protection Board to ensure that the rules were applied in a uniform manner across the EU. Based on the opinion of the European Data Protection Board, changes were then introduced to the Standard Data Processing Agreement, which in return obtained special legal effect.

This special legal effect entails that when companies apply the Standard Data Processing Agreement, it will obtain an increased level of security as the clauses will not be examined during a potential supervisory visit.

With declarations from the Norwegian and Swedish supervisory authorities, companies will now also be able to benefit from the same security when applying the Standard Data Processing Agreement in Norway and Sweden as both supervisory authorities.

IUNO’s opinion

When companies use external resources, it’s necessary to consider the applicable data protection rules. As a starting point, companies must, therefore, always consider each processing activity to establish whether it concerns a data processor or data controller, but also who is responsible for what and other measures which may be necessary.

IUNO recommends for companies to apply or consider the Standard Data Processing Agreement to facilitate processing activities in Denmark, Norway and Sweden. However, at the same time, companies must in practice also ensure that it complies with the requirements, namely in light of the negative consequences it may entail in case of breach of obligations.

Read more about how we can help with compliance here.

With the entry into force of the GDPR, the requirement to conclude data processing agreements was, among other things, introduced. This obligation illustratively applies when companies use external service providers or business partners to process personal data on its behalf. Data processing agreements must comply with a series of requirements, including information on the duration and purpose of the processing activity as well as the type of personal data being processed.

Just before the GDPR entered into force, the Danish Data Protection Agency issued a draft Standard Data Processing Agreement which subsequently was reviewed by the European Data Protection Board to ensure that the rules were applied in a uniform manner across the EU. Based on the opinion of the European Data Protection Board, changes were then introduced to the Standard Data Processing Agreement, which in return obtained special legal effect.

This special legal effect entails that when companies apply the Standard Data Processing Agreement, it will obtain an increased level of security as the clauses will not be examined during a potential supervisory visit.

With declarations from the Norwegian and Swedish supervisory authorities, companies will now also be able to benefit from the same security when applying the Standard Data Processing Agreement in Norway and Sweden as both supervisory authorities.

IUNO’s opinion

When companies use external resources, it’s necessary to consider the applicable data protection rules. As a starting point, companies must, therefore, always consider each processing activity to establish whether it concerns a data processor or data controller, but also who is responsible for what and other measures which may be necessary.

IUNO recommends for companies to apply or consider the Standard Data Processing Agreement to facilitate processing activities in Denmark, Norway and Sweden. However, at the same time, companies must in practice also ensure that it complies with the requirements, namely in light of the negative consequences it may entail in case of breach of obligations.

Read more about how we can help with compliance here.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology HR-legal Corporate

2 November 2021

Joint whistleblower schemes for multinationals

logo
HR Legal Corporate Technology

20 October 2021

New Act on the protection of whistleblowers on the way

logo
Technology

7 October 2021

Holiday did not excuse delayed communication of data breach

logo
Technology

23 September 2021

The Danish Data Protection Authority’s whistleblower scheme is on the way

logo
Technology

9 September 2021

Failure to comply with retention periods resulted in EUR 1.75 million fine

logo
Technology

1 September 2021

Can companies “snoop” in former employees’ e-mail accounts?

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate