EN
Technology

Companies can apply the Danish Standard Data Processing Agreement in Norway and Sweden

logo
Legal news
calendar 20 May 2020
globus Denmark, Sweden, Norway

Following an opinion issued by the European Data Protection Board, the Danish Data Protection Agency finalized its Standard Data Processing Agreement in 2019 which aims to help companies comply with the minimum requirements under the GDPR. The Norwegian and Swedish supervisory authorities have now confirmed that companies can also use the Danish Standard Data Processing Agreement in Norway and Sweden going forward.

With the entry into force of the GDPR, the requirement to conclude data processing agreements was, among other things, introduced. This obligation illustratively applies when companies use external service providers or business partners to process personal data on its behalf. Data processing agreements must comply with a series of requirements, including information on the duration and purpose of the processing activity as well as the type of personal data being processed.

Just before the GDPR entered into force, the Danish Data Protection Agency issued a draft Standard Data Processing Agreement which subsequently was reviewed by the European Data Protection Board to ensure that the rules were applied in a uniform manner across the EU. Based on the opinion of the European Data Protection Board, changes were then introduced to the Standard Data Processing Agreement, which in return obtained special legal effect.

This special legal effect entails that when companies apply the Standard Data Processing Agreement, it will obtain an increased level of security as the clauses will not be examined during a potential supervisory visit.

With declarations from the Norwegian and Swedish supervisory authorities, companies will now also be able to benefit from the same security when applying the Standard Data Processing Agreement in Norway and Sweden as both supervisory authorities.

IUNO’s opinion

When companies use external resources, it’s necessary to consider the applicable data protection rules. As a starting point, companies must, therefore, always consider each processing activity to establish whether it concerns a data processor or data controller, but also who is responsible for what and other measures which may be necessary.

IUNO recommends for companies to apply or consider the Standard Data Processing Agreement to facilitate processing activities in Denmark, Norway, and Sweden. However, at the same time, companies must in practice also ensure that it complies with the requirements, namely in light of the negative consequences it may entail in case of breach of obligations.

Read more about how we can help with compliance here.

With the entry into force of the GDPR, the requirement to conclude data processing agreements was, among other things, introduced. This obligation illustratively applies when companies use external service providers or business partners to process personal data on its behalf. Data processing agreements must comply with a series of requirements, including information on the duration and purpose of the processing activity as well as the type of personal data being processed.

Just before the GDPR entered into force, the Danish Data Protection Agency issued a draft Standard Data Processing Agreement which subsequently was reviewed by the European Data Protection Board to ensure that the rules were applied in a uniform manner across the EU. Based on the opinion of the European Data Protection Board, changes were then introduced to the Standard Data Processing Agreement, which in return obtained special legal effect.

This special legal effect entails that when companies apply the Standard Data Processing Agreement, it will obtain an increased level of security as the clauses will not be examined during a potential supervisory visit.

With declarations from the Norwegian and Swedish supervisory authorities, companies will now also be able to benefit from the same security when applying the Standard Data Processing Agreement in Norway and Sweden as both supervisory authorities.

IUNO’s opinion

When companies use external resources, it’s necessary to consider the applicable data protection rules. As a starting point, companies must, therefore, always consider each processing activity to establish whether it concerns a data processor or data controller, but also who is responsible for what and other measures which may be necessary.

IUNO recommends for companies to apply or consider the Standard Data Processing Agreement to facilitate processing activities in Denmark, Norway, and Sweden. However, at the same time, companies must in practice also ensure that it complies with the requirements, namely in light of the negative consequences it may entail in case of breach of obligations.

Read more about how we can help with compliance here.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)

Similar

logo
Technology

15 January 2024

Expensive right of access requests

logo
Technology

28 September 2023

Seven commandments when closing the business e-mail account

logo
Technology

19 September 2023

Unfair design practices resulted in a 345 million euro fine

logo
Technology

14 September 2023

Accessible personnel files resulted in a data breach

logo
Technology

14 September 2023

Deadline to establish whistleblower schemes for medium-sized companies approaching

logo
Technology

31 August 2023

New guidance from the Danish Data Protection Agency on direct marketing

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)