Opinion 18/2021 on the draft Standard Contractual Clauses submitted by the LT SA (Article 28(8) GDPR)
1 Adopted Opinion 18 /2021 on the draft Standard Contractual Clauses sub mitted by the LT SA (Article 28( 8 ) GDPR) Adopted on 19 May 2021 2 Adopted 3 Adopted The European Data Protection Board Having rega rd to Article 28(8), Article 63 and Article 64(1 ) (d), (3) - (8) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe…
How it connects
Related across sources
Full text
1 Adopted Opinion 18 /2021 on the draft Standard Contractual Clauses sub mitted by the LT SA (Article 28( 8 ) GDPR) Adopted on 19 May 2021 2 Adopted 3 Adopted The European Data Protection Board Having rega rd to Article 28(8), Article 63 and Article 64(1 ) (d), (3) - (8) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here i n after , “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and 22 of its Rul es of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board ( hereinafter, the “ Board ” ) is to ensure the consistent application o f the GDPR throughout the Union . To this end , the Board shall issue an opinion based on Article 64(1)(d) GDPR w here a supervisory authority ( hereinafter, “ SA ” ) aims to determine standard contractual clauses ( hereinafter, also “ SCCs ” ) referred to in A rticle 28( 8 ) GDPR. The aim of this O pinion is therefore to contribute to a harmonised approach concerning measures to be adopted by a supervisory authority that are intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States and the consistent implementation of the GDPR’s specific provisions . (2 ) In the context of the relationship between a data controller and a data processor ( or data processors ) for the processing of personal data, the GDPR establishes, in its A rticle 28, a set of provisions with respect to the s etting up of a specific contract between the parties involved and to mandatory provisions that should be incorporated in it. (3 ) According to Article 28(3) GDPR , the processing by a data processor “ shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller ”; a set of specific aspects to regulate the contractual relationship between the parties is therefore set out, including among others, the subject - matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects . (4 ) Under Article 28(6) GDPR, without prejudice to an individual contract between the data controller and the data processor, the contract or the other legal act referred in paragraphs (3) and (4) of A rticle 28 GDPR may be based, in whole or in part , on standard contractual clauses. These standard contractual clauses are to be adopted for th e matters referred to in paragraphs (3) and (4). (5 ) Furthermore , A rticle 28(8) GDPR determine s that a SA may adopt a set of standard contractual clauses in accordance with the consistency mechanism referred to in A rticle 63. In this regard, SAs are required to cooperate with other members of the Board and , where relevant, with the European Commission through the consistency mechanism. Pursuant to Article 64(1)(d), SAs are required to 1 References to the “Union” or the “EU” made throughout this Opinion should be understood as references to the “EEA”. 4 Adopted communicate to the Board any draft decision aiming to determine standard contractual clauses pursuant to A rticle 28(8). In t his context, the Board is required to issue an opinion on the matter, pursuant to A rticle 64(3), where it has n o t already issued an opinion on the same matter. ( 6 ) Adopted s tandard contractual clauses constitute a set of guarantees to be used as is, as they are intended to protect data subjects and mitigate specific risks associated with the fundamental principles of data protection. (7) The opinion of the Board shall be adopted pursuant to Article 64(3) GDPR in conjunction with Article 10(2) of the EDP B Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete (unless the period is extended upon decision of the Chair by a further six weeks) . HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1. The Lithuanian supervi sory authority (hereinafter, “LT SA”) has submitted its draft decision and i ts draft standard contractual clauses to the Board , requesting its opinion pursuant to A rticle 64(1)(d) , for a consistent approach at Union level . After the decision on the completeness of the file, t he EDPB Secretariat circulated the file to all members on behalf of the Chair on 26 March 2021. 2. The Board has received the draft SCCs from the LT SA along with a draft decision explaining the background and role of the standard contractual clauses. These two documents were provided by the LT SA in an English version. 2 ASSESSMENT 2.1 General reasoning of the Board regarding the set of standard contractual clauses 3. Any se t of standard contractual clauses submitted to the Board under Article 28(8) and Article 64(1)(d) must further specif y the provisions foreseen in Art icle 28 GDPR. The opinion of the Board aims at ensuring consistency and a correct application of Article 28 GDPR as regards the presented draft clauses , which could serve as Art. 28(8) standard contractual clauses . 4. The Board notes that the draft SCCs presented to the Board are composed of two parts: 1) a general part contain ing general provisions to be used “ as is ” ; and 2) a specific part that has to be completed by the parties with regard to the specific processing which the contract seeks to govern. 5. The Board recalls that the evaluation of each draft decision subject to the consistency mechanism is made individual ly and on its own merits , bearing in mind the goal of ensuring consistency . 5 Adopted 6. The EDPB has already expressed its views on draft standard contractual clauses for the purposes of compliance with Article 28 GDPR in EDPB Opinion 14/2019 2 , EDPB Opinion 17/2020 3 , and EDPB - EDPS Joint Opinion 1/2021 4 . 7. When this opinion rem ains silent on one or more clause s of the SCCs submitted by the LT SA , it means that the Board is not asking the LT SA to take further action with regard to those specific clauses . 2.2 Analysis of the draft decision and of the draft standard contractual clauses 2.2.1 General remark on the whole SCCs and on the draft decision 8. Since a contract under Article 28 GDPR should further stipulate and clarify how the obligations in Article 28(3) - (4) will be f ulfilled, the SCCs need to be analysed in their entirety. 9. In addition, the Board recalls that the possibility to use Standard Contractual Clauses adopted by a supervisory authority do es not prevent the parties from add ing other clauses or additional safeg uards , provided that they do not contradict, directly or indirectly, the adopted standard contractual clauses or prejudice the fundamental rights or freedoms of the data subjects . Furthermore , w here the standard data protection clauses are modified, the pa rties will no longer be deemed to have implemented adopted standard contractual clauses. Consequently, the Board recommends that the LT SA replace the words “ if they directly or indirectly contradict ” in the draft decision (paragraph 2) by “ as long as they do not directly or indirectly contradict ” . 10. The Board notes that the wording of several clauses of the SCCs in the English version provided are not in line with the terminology of the relevant provisions of the GDPR. Examples include: “ controller’s duties ” (used instead of “ controller’s obligations ”), “ Union or Member State legal acts ” (used instead of “ Union or Member State law ”), “ permission ” (used instead of “ authorization ”) , “ prove ” (used instead of “ demonstrate ”) , “ special ” (used instead of “ specific ”). T he Board therefore recommends the L T SA to align the wording of those clauses with the relevant provisions of the GDPR. 11. Further, t he Board is of the opinion that the use of the word “ Agr eement ” to designate SCCs may trigger confusi on between this contractual document which serve as Article 28(8) GDPR standard contractual clauses and other possible agreements that might be concluded by the Parties . For the sake of clarity , the Board recommends that the LT SA replace the word s “ Agreem ent ” by “ Standard 2 EDPB Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR), adopted on 9 July 2019, avai lable here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinion_201914_dk_scc_en.pdf ; The final version of the standard contractual clauses for the purposes of compliance with Article 28 GDPR adopted by the Danish SA is available here: https://edpb.europa .eu/our - work - tools/our - documents/decisionsa/dk - sa - standard - contractual - clauses - purposes - compliance - art_en . 3 EDPB Opinion 17/2020 on the draft Standard Contractual Clauses submitted by the SI SA (Article 28(8) GDPR), adopted on 19 May 2020, available here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinion_202017_art28sccs_si_en.pdf . 4 EDPB - EDPS Joint Opinion 1/2021 on the draft Standard Contractual Clauses submitted by the European Commission (Article 28(7) GDPR), adopted on 19 May 2020, available here: ht tps://edpb.europa.eu/our - work - tools/our - documents/edpbedps - joint - opinion/edpb - edps - joint - opinion - 12021 - standard_en . 6 Adopted Contractual Clauses ” or “ Clauses ” where referring to the aforementioned SCCs , in the whole draft decision and in the whole annex . 12. The Board recommends removing the reference to “ other mutual agreements ” from page 1 (last paragraph) of the draft SCCs as it seems to imply that additional clauses or agreements entered into by the parties fall within the scope of the SCCs themselves. 13. Finally, the Board is of the opinion that a specific provision on the de finition of the terms used in t he C lauses might be added to the SCCs in order to avoid any difficulties in practice . The Board therefore encourages the LT SA to specify that whenever the Clauses use the terms defined in the GDPR, those terms have the meani ng given to such terms by the GDPR itself . 2.2.2 Purpose of the agreement ( Chapter I of the SCCs ) 14. Regarding clause 2 of the SCCs , the Board is of the opinion that the wording “ [where applicable, details of the agreement on provision of such services ] ” is not fully clear, and encourages the LT SA to further clarify which type of details the parties would be expected to insert. As an example, the clause may be redrafted as follows: “ [where applicable, specify details on the agreement entered into by the Parties on these services, e.g. date / title] ”. In addition , and in order to avoid any doubt regarding what should be filled in by the Par t i e s in Annex 1, the Board encourages the LT SA to replace the word s “ including but not limited to the subject, purpos e and nature of the processing of personal data, types of personal data, categories of the data subjects etc . ” with a direct reference to Annex 1 . 2.2.3 Obligation of the parties ( Chapter II of the SCCs ) 15. Regarding clause 3 of the SCCs, the Board is of the opinion that the reference to commitments that the controller “shall undertake” may be misleading in the context of a contract because the rights and obligations of the controller described in clause 3 are already vested in the controller by the GDPR, and that it should be deleted. In addition, this clause would be clearer if a reference to Article 24 GDPR and its accountability principle were made . Consequently, the Board recommends that clause 3.1 be modified, for instance , as follows: “ [ The Data Controller] is res ponsible for ensuring that the processing of personal data takes place in compliance with Regulation (EU) 2016/679 (see Article 24 GDPR) [...] ”. 16. Regarding clause 3.2 of the SCCs, since the controller has already defined the purposes and means of the processing activity subject to the SCCs, t he Board recommends to the LT SA to rephrase it as follows : “ 3.2 [The Data Controller] has the right and obligation to make decisions about the purposes and means of the proce ssing of personal data ”. 17. Regarding clause 3.3 of the SCCs , the Board is of the opinion that it should be clarified that the obligation of the controller is not limited to the identification of the legal basis , and thus recommends that the clause be redrafted as follows : “ 3.3 [The Data Controller] shall be responsible, among others , for ensuring that the processing of personal data which the data processor is instructed to perform has a legal basis .” 18. Regarding clause 4.1 of the SCCs, third sentence, t he Board is of the opinion that the possibi lity for the controller to give subsequent or further instructions is necessary to fully implement the rights and obligations of the parties set out in the clause 4, but is not unlimited. Any subsequent instructio n should be in line with the respective rights and obligations of the parties set out in the SCCs. For the sake of clarity, the EDPB therefore encourages the LT SA to specify this in the clause. 7 Adopted 19. Furthermore , the Board considers that where the processor process es the data not under the instructions of the controller but because it is required to do so by Union or Member State law to which it is subject, then the processor shall inform the controller of the legal requirement before the proce ssing of this data , unless that law prohibits such information on important grounds of public interest. The Board therefore recommends to the LT SA to include this specification . 2.2.4 Confidentiality ( Chapter III of the SCCs) 20. Regarding clause 7 of the SCCs , first sentence, the Board recommends, for the sake of consistency and clarit y, that the LT SA bring the wording in line with A rticle 28(3)(b) GDPR and refer explicitly to the principle of the access to the personal data on a “need - to - know” basis. The Board would therefore suggest the following wording: “ under the processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis ” . Furthermore, the Board encourages the LT SA to split the following part of clause 7 into different paragraphs and introduce some amendments in order to enhance its clarity: c lause 7 can therefore be reorganised as follows: “ 7. [...] The Parties ensure that: 7.1. In case of a need to change in the persons having access to personal data , their right of access to the Data Controller’s personal data shall be revoked not later than on the last day on which their tasks require them to have access to the personal data of the Data C ontroller entrusted to the Processor. I n case of discontinuation of employment relationship with the employee of the Data Processor, the access right s to the Data Controller’s personal data shall be revoked not later than on the last day of work . 7.2 The list of persons granted access to personal data shall be reviewed on a periodical basis [...] ” . 2.2.5 Security of processing ( Chapter IV of the SCCs ) 21. Regarding clause 9 of the SCCs, the Board recommends that the LT SA specify that the level of the risk should take into account “ the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons ” , which corresponds to the wording of Article 32(1) GDPR. This specific wording is used in the GDPR to make sure that the level of security applied to the processing of personal data is always in line with the latest technological evolutions. 22. Regarding cla use 11 of the SCCs, the Board encourages the LT SA to delete “ which may arise ” and to replace “ minimise the risk ” by “ mitigate the risk ” . In addition , the Board recommends to the LT SA to clarify that “ independe ntly from the controller ” refers to the asses sment of the risk, rather than to the implementation of measures, which in the current wording is not entirely clear. As an example, the first sentence of the clause may be redrafted as follows : “ According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing activity entrusted to it by the controller, and implement measures to mitigate those risks ” . 23. Regarding clause 12 of the SCCs, the Board recommends that the LT SA align the wording with Article 28(3)(f) GDPR , by referring to assistance to the controller in ensuring compliance with the obligation (instead of “ fulfilment ” of its “ duties ”) provided for in Article 32 GDP R. 24. Regarding clause 13 of the SCCs, the Board understands that the first sentence refers to the case where subsequently, in the assessment of the controller, the mitigation of the identified risks requires further measures to be implemente d by the proces sor. If it is the case , the Board recommends to the LT SA to clarify this. As regard s the second s entence of the clause, the Board is of the opinion that it 8 Adopted may be misleading to specify the right of the controller to obtain evidence of implementation of su ch supplementary measures, considering that the audit right of the controller applies m ore broadly to all the obligations laid down in these SCCs as provided for in Article 28(3)(h) GDPR . The Board therefore recommends to the LT SA to amend this sentence a nd make reference to Chapter X of the SCCs (e.g. “ The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with its obligations as provided in Chapter X of the Clauses ”) . 2.2.6 Engagement of other data processor (Chapter V of the SCCs) 25. Regarding Chapter V of the SCCs, the Board encourages the LT SA to slightly rephrase several sentences in order to clarify them. In clause 16, “ for the performance of this Agreement ” could be redrafted as “ for the performa nce of the processing carried out under this Agreement ” . In clause 16.1, the words “ to the date of engagement ” can be replaced by “ before the date of engagement ” . In clause 16.2, “ no later than till [specify the period] ” can be replaced by “ no later than [ specify the period] in advance ” and “ special additional ” by “ specific ” . Finally, the Board suggests avoiding repetition of the reference to Annex 2 in the latest sentences of clauses 16.1 and 16.2 which is already stated in clause 15. 26. Regarding clause 17 of the SCCs more specifically, the reference to the possibility to enter into a contract or another legal act as currently included in the draft SCCs seems to be potentially misleading. Therefore, the Board recommends that this clause should be aligned wit h the wordi ng of Article 28(4). In addition , the Board considers that it should specified in this clause that prior to the processing, the data processor shall inform the sub - processor of the identity and contact details of the controller for which the sub - processor processes personal data. The Board encourages the LT SA to rephrase the clau se accordingly , f or example as f ollow s : “ Where the Processor engages a sub - processor for carrying out the particular processing o n behalf of the Controller, the same data protection obligation s as set out between the controller and the processor shall be imposed on the sub - processor by way of a contract or another legal act under Union or Member State law , in partic ular providing suffi cient guarantees to implement appropriate technical and organizational measures so that processing me e t s the requirements of Regulation (EU) 2016/679. Prior to processing, the data processor shall inform the sub - processor of the identity and contact details of the controller for which the sub - processor processes personal data ” . 27. Regarding clause 18 of the SCCs, the Board notes that the suggested obligation for the processor to provide a copy of the contract with the sub - processor where there is an impact on the instructions or the level of security is not explicitly provided by the GDPR and may be of unclear application for the parties, but understands the intention of requiring the processor to notify the controller in case of issues arising in connection with the engaged sub - processor . The Board recommends therefore that the LT SA replace thi s provision with the obligation for the proce ssor to notify to the controller any failure by the sub - processor to fulfil its obligations under the contract or other legal act binding on this sub - processor . Finally, the last sentence should be rephrase d as follows: “ The Data Processor is not obliged to provide the provisions of the Agreement on the business - related issues which do not have an impact on the terms and conditions of the legal protection of personal data of the contract concluded with the sub - processor ” . 28. Regarding clause 19 of the SCCs, the Board understands that the intention is to create a “third party beneficiary right” for the controller within the contract between the data processor and the sub - processor. Therefore , the Board encourages the LT SA to clarify the nature of the clause for instance by redrafting the first sentence as follows : the processor “ shall agree on a third - party beneficiary 9 Adopted clause with a sub - processor (if any) providing that [...] ” . The Board also recommends that “ continue data processing relationship directly with the sub - processor ” should be replaced with “ enforce the agreement directly against the sub - processor ”. Additionally, the Board recalls that it sees an added value in having such a clause as part of a standard contractual clauses as it preserves the ri ghts of the controller and therefore recommends to the LT SA to transform it into a non - optional clause. 29. Regarding clause 20 of the SCC s , the Boards encourages the LT SA to include a reminder that the “ The data processor shall be responsible for requiring that the sub - processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR ” . 2.2.7 Transfer of data to third countries or international organisations ( Chapter VI of the SCCs ) 30. The Board encourages to the LT SA to clarify that th e words “third countries” refer to countries outside of the EEA and not outside of Lithuania . This could be carried out by adding in clause 2 1 “[...] third countries (i.e. countries outside of the E uropean E conomic A rea ) [...] ”. 31. In addition, the Board recommends the deletion of footnote 2 in c lause 21 and of the same sentence in Annex 3, Point 6 due to the fact that such standard contractual clauses do not appear as the relevant document to elaborate on the definition o f the no tion of transfers of personal data . 32. Regarding clause 22 of the SCCs, the Board recommends to replace the wording “ transfer of such information ” with “ communication of such information ” , in order to avoid any confusion with the notion of transfer as referred to in Chapter V of the GDPR. 33. Regarding clause 23.1 of the SCCs , the Board encourages the LT SA to clarify the wording as follows: “ to transfer personal data to a Data Controller or a Data Processor in a third country or in an international organisation ” . 34. The Board considers that mentioning the chosen tool for transfers, in addition to the instructions, contributes to demonstrating compliance of the parties with Chapter V of the GDPR; therefore, the EDPB encourages the LT SA to further clarify clause 24 of the SCCs as follow s : “ The data controller’s instructions or approval regarding transfers of personal data to a third country including, if applicable, the transfer tool under Chapter V of Regulation (EU) 2016/679 on which they are based, shall be set out in Annex 3 of these standard contractual clauses ” . 2.2.8 Assistance to the data controller ( Chapter VII of the SCCs ) 35. The Board encourages , for the sake of clarity as well as consistency with Article 28(3)(e) GDPR, the LT SA to slightly rephrase the clause 26 of the SCCs as follow s : “ Taking into account the nature of processing, the Data Processor shall assist the Data Controller to fulfil the Data Controller’s obli gation to respond to the requests for exercise of the data subject’s rights provided for in Chapter III of Regulation (EU) 2016/679 by appropriate technical and organisational measures insofar as this is possible . This implies that the Data Processor shall , insofar as this is possible , assist the Data Controller in its obligation to give effect to the following data subject rights ” . 36. Regarding clause 27 of the SCCs, the Board notes that the content of this clause is repeated in clause 29. The Board therefore encourages the LT SA to merge clause 27 into clause 29, so that the new clause is aimed to ensure that the parties detail the arrangements on the manner the processor is bound to assist the controller relating to data subject rights and data bre aches in Annex 3 . By way of 10 Adopted example, the new clause could read as follows: “ The Parties shall establish in Annex 3 hereto the appropriate technical and organisational measures which should be taken by the Data Processor to assist the Data Controller with d ata subject rights and with the obligations under Articles 33 to 36 GDPR, as set out in paragraphs 26 and 27 hereof ” . 37. The Board understands that c lause 28 of the SCCs , coupled with clause 12, is aimed to reflect the content of Article 28(3)(f) GDPR : while clause 12 refers to the processor’s assistance with compliance with Article 32 GDPR, clause 28 covers the processor’s assistance with compliance with Articles 33 to 36 GDPR. As a consequence, the Board recommends that clause 28 refer to clause 12 (rather t han 13), and to redraft the clause to ensure closer consistency with the relevant provisions of the GDPR. The clause could be redrafted, for instance , as follows : “ In addition to the Data Processor’s duty to assist the Data Controller in accordance with p aragraph 12 hereof, t he Data Processor , taking into account the nature of processing and information available to the Data Processor, shall also assist the Data Controller in ensuring compliance with : 28.1 the Data Controller’s obligation to, without undue delay and where feasible, [...]; 28.2 the Data Controller’s obligation to notify without undue delay [...] 28.3 the Data Controller’s obligation to carry out a data protection impact assessment [...] where a type of processing is likely to resul t in a high risk to the rights and freedoms of natural persons. 28.4 the Data Controller’s obligation to consult the competent supervisory authority [...] if the data protection impact assessment indicate s that processing of data would result in high risk if the Data Controller fails to take measures to mitigate the risk ”. 2.2.9 Notification of personal data breach ( Chapter VIII of the SCCs ) 38. C lause 30 of the SCCs , second sentence, recommends to the Parties to select a number of hours by which the processor shall notify a data breach which does not exceed 24 hours from the moment of becoming aware of the personal data breach. Such delay may be short in some situations and may also trigger confusion with the del ay by which the controller has to notify the personal data breach to the SA . While taking into account the requirement for the processor to notify the controller “ without undue delay ” after becoming aware of the personal data breach in accordance with Arti cle 33.2 GDPR, the Board recommends the LT SA to delete the sentence recommending that the timeframe (which anyways starts from the moment of becoming aware of the personal data breach - the word “breach” is missing) should not exceed 24 hours and allow th e parties to choose the appropriate timeframe . Additionally, the Board recommends the deletion of “ If possible ” from the second sentence of clause 30 taking into account that a processor has in any event an obligation to proceed to such notification (Artic le 33.2 GDPR) and to avoid giving rise to situations where the processor may argue it was “impossible” to notify the controller concerning the data breach within the agreed timeframe. 39. Regarding clause 31.4 of the SCCs, the Board encourages the LT SA to refer to the “ request of the competent supervisory authority ” instead of the “ letters of the co mpetent supervisory authority ” , since a supervisory authority mig ht request information by means other than letters. 40. Regarding clause 32 of the SCCs, pertaining to the obligation of the processor to notify additional information in case it fails to provide all information on the occasion of th e first notification, the Board recommends that the LT SA remo ve the reference to 24 hours. Instea d, it should be made clear that this information must be provided “ without undue further delay ” (instead of “ immediately ”) in accordance with the controller’s obligation under Article 33(4) GDPR. 11 Adopted 2.2.10 Erasure and return of data ( Chapter IX of the SCCs ) 41. Regarding clause 34 of the SCCs , the Board recommends that the LT SA specify that the options provided by this clause are le f t “ at the choice of the controller ” in order to more closely match the word ing of Article 28(3)(g) GDPR. In addition, the Board sug gest s replacing “ confirm ” by “ demonstrate ” . Thirdly, the Board recommends clarifying that the deletion of existing copies must be carried out “in any event” (the sentence could be thus rephrased as “ [...] and in any event delete the existing copies unless [...] ” ). Finally, the Board recommends that the LT SA detail in the c lause itself that the controller should be able to modify the choice made at the time of signature of the contract throughout the life cycle of the contract and upon its termination. 2.2.11 Co ntrol of the data processor / Audit and inspection ( Chapter X of the SCCs ) 42. The Board understands that the Chapter X is referring to Article 28(3)(h) GDPR. The Board therefore encourages the LT SA , for purposes of clarification about the content of this Cha pter, to rephrase the title of Chapter X as follows: “ A udit and inspection of the data processor ” . 43. Regarding clause 37 of the SCCs, the Board encourage s the LT SA , for the sake of consistency with the GDPR, to slightly rephrase this clause to align it with the terminology of Article 28(3)(h) GDPR: “ The Data Processor shall make available the Data Controller with all information necessary to demonstrate compliance with the obligation set out in Article 28 of Regulation (EU) 2016/679 and the Agreement and enable and assist the Data Controller or another auditor mandated by the Data Controller to carry out an audit including on - the - spot inspections ” . 44. Regarding clause 39 of the SCCs, the Board is of the opinion that the wording “ physical means ” might be misleading. The Board therefore encourages the LT SA to rather refer to “ physical facilities ” . Further, it may be advisable to specify with in t he SCCs that the controller and processor com mit to cooperating with the Supervisory Authority , including by making available to the authority upon request information aimed to demonstrate compliance , including the results of audits and inspections . 2.2.12 Final provisions ( Chapter XI of the SCCs ) 45. Regarding clause 44 o f the SCCs, the Board encourages the LT SA to clarify the terms “ materially or regularly breaches the Agreement ” in order to avoid any confusion as to their interpretation by the Parties. In addition to the termination provisions of cl ause 44 , the Board recommends that the SCCs include the possibility for the controller to terminate the SCCs where the clauses have bee n suspended in accordance with clause 43 of the SCCs and where com pliance has not been restored within a certain amount of time to be determined by the Parties. 2.2.13 A nnex 1 46. While noting that Annex 1 aims at providing details about the processing activities undertaken by the processor on behalf of the controller, the Board recalls that the processing activitie s should be described by the parties in the most detailed manner possible . Consequently, the Board welcomes the examples provided by the LT SA to illustrate the possible content of the sections of the Appendix as they are able to guide the parties’ descrip tion. 47. The Board is nonetheless of the opinion that slight clarifications can be made on the level of detail expected in the Annex 1. The Board therefore encourages the LT SA to refer to “ processing activities ” 12 Adopted instead of “ processing operations ” in point 1 of the Annex 1 , as well was to “ types of personal data ” instead of “ personal data ” in point 1.3 of the Annex 1 . 2.2.14 A nnex 2 48. Regarding p oint 1 of Annex 2, th e Board welcomes the inclusion of a table guiding the Parties in the description of authori sed sub - processors as provided for in Chapter V of the SCCs . 49. With regard to p oint 2 of Annex 2 on prior notification for granting permission to new sub - processors, the Board encourages the LT SA to clarify that this point refers to new sub - processors, not already listed in the previous point. Also, the Board is of the opinion that the first sentence in its current form may be interpreted as contradicting clauses 16.1 and 16.2 which requ ire that a specific period is set, and recommends that the LT SA rephrase the first sentence in order to guarantee that both the period of prior notification and the related te rms and conditions are provided by the Parties : “ Please specify the periods of a prior notification of granting permission to the sub - processors and other related terms and conditions ” . 2.2.15 Annex 3 50. Regarding Annex 3 of the SCCs , the Board is of the opinion that several sentences might be rephrased in order to avoid any confusion as to wh at it is expected to be filled in by the Parties. The Board therefore encourages the LT SA to refer to “ ’the processing entrusted ” instead o f “ the processing assigned ” (p oint 1 ), to “ elements ” instead of “ lots ” (p oint 2 ), to “ communication of the data ” instead of “ transfer of the data ” (p oint 2), to “ demonstrate the fact of erasure ” instead o f “ prove the fact of erasure ” ( p oint 4 ), to “ data processing location ” instead of “ d ata processing place ” (p oint 5 ) to “ information ” instead of “ f amiliarisation ” (p oints 7 and 8 ), and to “ physical facilities ” instead of “ physical measures ” (p oint s 7 and 8). 51. As a general remark with respect to p oint 2 of Annex 3, relating to Security of Processing, the Board recalls that the degree of detail of the information provid ed therein must be such as to enable the controller to assess the appropriateness of the measures, in order to comply with its obligation of accountability. Also, a suggestion for the parties to include a description of the measures for the protection of s oftware applications used to process personal data could be useful . 52. Regarding p oint 3 of Annex 3 related to the Assistance to Data Controller , the Board is of the opinion that the annex should include the steps to be taken by the processor and the procedure to be followed in providin g assistance to the controller with regard to both Article 28(3)(e) and 28(3)(f) GDPR . For example, with regard to the obligation of assistance under Article 28(3)(e) GDPR, it has to be clear in the SCCs whether the data processor is expected to have any contact with the data subjects, and how the processor needs to inform the controller when it comes to data subjects’ rights (e.g. forwarding the request to the controller within a specified timeframe or other appropriate measures). In this case, the assistance is provided only through an exchange of information between the controller and the processor. Another scenario could be that the controller instructs the processor to answer to data subject’s requests according to in structions given. Another option could be that the processor would make the technical implementations instructed by the controller with respect to data subjec t rights. The Board suggests that the LT SA give s examples of organisational measures under which the cooperation of the processor might be provided in order to indicate the level of detail expected to be filled in by the Parties in Annex 3. 13 Adopted 53. The Board also notes that p oints 7 and 8 of the Annex 3 state that where the controller carry out a physical ex amination/on - spot inspection of the processor and sub - processor, it shall bear the costs. As to the issue of allocation of costs between a controller and a processor is not regulated by the GDPR, the Board consequently encourages the LT SA to remove any re ference to the costs from these clauses. 3 CONCLUSIONS 54. The Board very much welcomes the Lithuanian SA’s initiative to submit its draft SCCs for an opinion which aim s at contributing to a harmonised implementation of the GDPR. 55. The Board is of the opinion that the draft SCC s of the Lithuanian Supervisory Authority submitted for an opinion need some further adjustment s in order to be considered as standard contractual clauses. If all recommendations listed in this Opinion are implem ented, the LT SA will be able to use this draft agreement as Standard Contractual Clauses pursuant to A rticle 28 ( 8 ) GDPR without any need for a subsequent adoption from the EU Commission . 4 FINAL REMARKS 56. This opinion is addressed to the Lithuanian Valstybinė duomenų apsaugos inspekcija ( the Lithuanian Supervisory Authority) and will be made public pursuant to Article 64 (5 )( b) GDPR. 57. According to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means , within t wo weeks after receiving the opinion, whether it will amend or maintain its draft SCCs . Within the same period, it shal l provide the amended draft SCCs or, alternatively, the relevant grounds for which it does not intend to follow thi s opinion, in whole or in part. The supervisory authority shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism, in accordance with Article 70(1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)