EDPB Ruling Provides Takeaways for DPA Standard Contractual Clauses

The European Data Protections Board (EDPB) issued an opinion on the draft Standard Contractual Clauses (SCC) for a controller-processor data processing agreement under Article 28 (Data Processing Agreements) submitted by the Lithuanian supervisory authority.

Here are some universal takeaways for drafting and negotiating DPAs:

Controller Instructions

  • The possibility for the controller to give subsequent or further instructions is necessary to fully implement the rights and obligations of the parties but is not unlimited. 
  • Where the processor processes the data not under the instructions of the controller, but because it is required to do so by union or member state law to which it is subject, then the processor shall inform the controller of the legal requirement before the processing of this data, unless that law prohibits such information on important grounds of public interest.

Technical and Organizational Methods

  • The DPA should specify that the level of the risk should take into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,” which corresponds to the wording of Article 32(1) GDPR.


  • The DPA should specify that prior to the processing, the data processor shall inform the sub-processor of the identity and contact details of the controller for which the sub-processor processes personal data.
  • There is an added value in having a third-party beneficiary clause as part of a standard contractual clause as it preserves the rights of the controller and it should, therefore, be mandatory.

Data Breach Notification

  • The parties should specify the number of hours by which the processor shall notify regarding a data breach, and it should not exceed 24 hours from the moment the processor becomes aware of a personal data breach.
  • One should not use the modifier “if possible” in connection with the data breach notification timing, taking into account that a processor has in any event an obligation to proceed to such notification (Article 33.2 GDPR).

Deletion and Termination

  • The controller should be able to modify the choice re: return or deletion that it made at the time of signature of the contract throughout the life cycle of the contract and upon its termination. Remaining copies should be deleted in any event.
  • The DPA should include the possibility for the controller to terminate where the DPA has been suspended and where compliance has not been restored within a certain amount of time to be determined by the parties.


  • The processing activities should be described by the parties in the most detailed manner possible.
  • The degree of detail of the information provided must be such as to enable the controller to assess the appropriateness of the measures, in order to comply with its obligation of accountability.
  • The annex should include the steps to be taken by the processor and the procedure to be followed in providing assistance to the controller with regard to assisting the controller with its obligations.

For more information, we encourage you to access the original article in full here.

Odia Kagan (L.L.M. ’09) is a Partner and the Chair of GDPR Compliance and International Policy at Fox Rothschild LLP.

Leave a Comment