The transfer of personal data to third countries requires a separate legal basis in Chapter 7 of the Act on Processing of Personal Data. This requirement also applies in cases that do not involve the transfer of sensitive personal data, cf. sections 7 and 8 of the act.

In addition, section 27(5) of the act states that the transfer of personal data to third countries must always take place pursuant to the provisions of the Act on Processing of Personal Data. This means that there must be a legal basis for the processing of data in the processing rules in Chapter 4 of the act, and that the other rules of the act must also be observed. This requirement also applies when the standard contractual clauses described below are applied.

According to section 27(4) of the Act on Processing of Personal Data, authorisation must be obtained from the Danish Data Protection Agency in order to transfer personal data to third countries that do not fulfil section 27(1) of the act, and the controller seeks to provide adequate guarantees for the protection of the rights of the data subject.

Pursuant to Article 26(4) of the European Parliament and Council’s directive 95/46/EEC (data protection directive), the European Commission has found that certain model contracts/standard contractual clauses provide adequate guarantees for the protection of privacy, basic rights and liberties, as well as for exercising the associated rights. The use of these standard contractual clauses is carried out in accordance with Danish law, pursuant to section 27(4) of the Act on Processing of Personal Data, which covers the use of the Commission’s standard contractual clauses, as well as other contractual clauses prepared by the controller. Authorisation from the Danish Data Protection Agency must be obtained in both cases.

The standard contractual clauses approved by the Commission are accessible via the Commission’s website.

When using the Commission’s standard contractual clauses, the controller should begin by determining whether the transfer is to a processor or a controller established in a third country, as separate standard contractual clauses exist for these types of transfers.

According to Article 26(4) of the Data Protection Directive and the comments on section 27(4) of the Act on Processing of Personal Data, the use of the Commission’s standard contractual clauses will always fulfil the requirement for the necessary guarantees. The Danish Data Protection Agency’s issuance of authorisation in these cases will therefore solely be based on an assessment of whether the contractual clauses submitted are identical with the standard contractual clauses approved by the Commission. This will also be reflected in the conditions the Danish Data Protection Agency will stipulate pursuant to section 27(4)2.

When submitting an application for authorisation from the Danish Data Protection Agency to transfer personal data based on the Commission’s standard contractual clauses, the controller should provide a general review of the circumstances of the transfer and confirm that the contractual clauses are identical to the Commission’s standard contractual clauses.

If the contractual clauses deviate from the Commission’s standard contractual clauses, this should always be highlighted by the controller so that the Danish Data Protection Agency can assess whether the deviations should be considered in violation of the Commission’s standard contractual clauses. See also consideration 5 in the Commission’s decision of 15 June 2001 and consideration 4 in the Commission’s decision of 27 December 2001 regarding the standard contractual clauses (see link above).