Key takeaways:

• Annex for specifying controller instructions. (Is this another hint that reference to the "main agreement" is not enough?)
• Annex for specifying the description of the processing which includes the requirement to indicate the place of the storage and of the processing.
• Controller chooses whether processor will return or delete at the time the clauses are executed.
• (Very detailed) annex for specifying technical and organizational measures (another indication, after EDPB guidelines and Netherlands AP guidance that specificity is required here). Categories to be completed include: pseudonymization and anonymization; ensuring confidentiality, integrity and availability; regularly testing and evaluating technical and organizational measures; requirements for user identification and authorization; requirements for protection of data in transit/in storage; requirements for physical security; requirements for event logging; requirements for system configuration; requirements for internal IT and IT security government and management; requirements for certification; requirements for data minimization; requirements for data quality; requirements for data retention; requirements for accountability and requirements for data portability and disposal.
• Annex for setting forth specific restrictions/additional safeguards in the event special category data is processed.
• Processor required to notify controller without undue delay and not later than 48 hours after having become aware of a breach (no more open ended "where feasible").
• Requirement on the data controller and data process to make compliance documentation, as well as the results of any audits (conducted by controller or by a third party) available to the supervisory authorities on request.

Sub-processors

1. Authorization: Option 1: Specific Authorization — the clauses require the request for specific authorization to be at an agreed-upon, specified time prior to the engagement.
   Option 2: General Authorization — the clauses allow an annex listing the sub-processors the data processor "intends to engage" and require it to inform the controller in writing of any intended changes in the list a specific time period in advance so that the data controller has the opportunity to object to the change prior to the engagement of the new sub-processor.
2. Agreement: Processors are required to include in the sub-processing contract "the same obligations imposed on the data processor under these Clauses." This echoes the GDPR Article 28(4) requirement without any wiggle room to interpret this as meaning "not less onerous" or "substantially the same." Especially when combined with the new requirement for a detailed security measures exhibit, like the clauses now have, requiring identical measures from the sub-processor puts data processors engaging large sub-processors against which they don't have any bargaining power — in a tough spot/situation.

   ---

• In connection with the reporting of a data breach/prior consultation — the clauses require naming the competent DPA in the body of the clauses. What should this be if the controller is a non-EU controller? both parties are non-EU entities?
• The Clauses require the parties to set out the appropriate technical and organizational measures by which the data processor is required to assist the data controller in connection with managing data subject rights, DPIA and breach reporting.
• Clause 9 and Clause 8(c)(1)-(2) seem duplicative.
• The clauses include circumstances for terminating the Clauses, independent from the termination of the main underlying commercial contract in cases of (i) Controller's suspension of the processing; (ii) processor's substantial or persistent breach of the clauses; or (iii) processor's failure to comply with a binding decision of a competent court or competent supervisory authority.