The Outsourced DPO picked up an inbound support ticket this morning querying whether a data processor agreement was still relevant or required amending in light of Brexit and Schrems 2.
The processor agreement in question was that issued by the Danish Data Protection Authority, Datatilsysnet which has taken some flak but inherently is a good agreement. As a side note, if you do use it you should be check that you are using version 1.1 that was issued in January this year and carries a couple of corrections.
The Danish SA agreement https://edpb.europa.eu/sites/edpb/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf prohibits the processor from transferring personal data to a third country without documented instructions from the controller, and sets out that any such transfers must be carried out in accordance with the rules set out in Chapter 5 of the GDPR which includes mechanisms such as standard contractual clauses. For the avoidance of doubt, clause 8.3 summarises that processors are prohibited from using other processors in third countries as well as processing personal data themselves in a third country.
The processor agreement in itself is fine but does not cover off international transfers: you still need to have supplementary arrangements if personal data are being transferred to or processed in third countries or international organisations. This may seem obvious but as the Danish agreement is headed, “Standard Contractual Clauses” it has led to some confusion. This brings us to the issues of Brexit and Schrems.
Looking at Brexit first, there still seems a degree of uncertainty whether the UK will be classified as a “third country” for the purposes of the GDPR from 1st January by the EU. Current advice and guidance is that the UK will not classify EU member states as “third countries” (https://ico.org.uk/media/for-organisations/documents/brexit/2617110/information-rights-and-brexit-faqs-v2_3.pdf) but as the UK Government has said it will keep this under review, it is a possibility.
If adequacy is not granted by the EU and/or if the UK does not recognise the EU member states as having adequacy, transfers and processing of personal data across affected borders would need to be made on the basis of a mechanism such as standard contractual clauses (SCCs). Therefore, the only circumstances you can rely on from January as it stands today are those where all transfers and processing of personal data are carried out exclusively in the UK by you and the entirety of your processor network.
If you need to implement SCCs then you also need to consider the recommendations made by the European Data Protection Board last week. One would assume that the EDPB would not expect processors within the EU to be subject to its recommendation regarding supplementary steps but transfers and onward transfers to third countries would be. Another consideration is the revised SCCs published last week by the European Commission which are open for consultation until mid-December.
In summary the Danish processor agreement is sound, but transfers outside of the UK need to have supplementary documentation where they involve transfers to a “third country”. As it stands, the UK seems unlikely to classify EU member states as “third countries” – but the Government are keeping this under review. If you do need to implement an international transfer mechanism and chose to use SCCs, you need to take into account the EDPB recommendations on supplementary tools. You may also need to replace all of your SCCs in the New Year with the new set.