Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

The Commission´s standard contractual clauses

The transfer of personal data to third countries requires a separate legal basis in Chapter 7 of the Act on Processing of Personal Data. This requirement also applies in cases that do not involve the transfer of sensitive personal data, cf. sections 7 and 8 of the act.

In addition, section 27(6) of the act states that the transfer of personal data to third countries must always take place pursuant to the provisions of the Act on Processing of Personal Data. This means that there must be a legal basis for the processing of data in the processing rules in Chapter 4 of the act, and that the other rules of the act must also be observed. This requirement also applies when the standard contractual clauses described below are applied.

According to section 27(4) of the Act on Processing of Personal Data, authorisation must be obtained from the Danish Data Protection Agency in order to transfer personal data to third countries that do not fulfil section 27(1) of the act, and the controller seeks to provide adequate guarantees for the protection of the rights of the data subject.

Pursuant to Article 26(4) of the European Parliament and Council’s directive 95/46/EEC (data protection directive), the European Commission has found that certain model contracts/standard contractual clauses provide adequate guarantees for the protection of privacy, basic rights and liberties, as well as for exercising the associated rights. The use of these standard contractual clauses is carried out in accordance with Danish law, pursuant to section 27(4) of the Act on Processing of Personal Data, which covers the use of the Commission’s standard contractual clauses, as well as other contractual clauses prepared by the controller.

The standard contractual clauses approved by the Commission are accessible via the Commission’s website.

When using the Commission’s standard contractual clauses, the controller should begin by determining whether the transfer is to a processor or a controller established in a third country, as separate standard contractual clauses exist for these types of transfers.

As of January 1 2013 the Danish Act on Processing of Personal Data has been amended and it is no longer required that a data controller obtains an authorisation from the Danish DPA before transferring personal data to a third county. This is however under the condition that the standard contractual clauses have not been altered by the data controller. If the clauses have been altered an authorisation from the Danish DPA still has to be obtained before the personal data is transferred.

If the contractual clauses deviate from the Commission's standard contractual clauses, the contractual clauses must be submitted to the Danish Data Protection Agency with a summary of the changes made. The amended contractual clauses will then be treated as an ad hoc contract by the Danish Data Protection Agency, requiring the Agency's concrete assessment of the level of protection and safeguards to protect the rights of the data subjects as shown in the contractual clauses. In addition, the Danish Data Protection Agency will have to notify the Commission thereof. For these applications the Agency's processing time must be expected to be several months.

Go to the application form for third country transfers.