In its Opinion 22/2024, dated 9 October 2024, the European Data Protection Board (EDPB) clarifies data controllers’ responsibilities under Article 28 of the GDPR when engaging processors and sub-processors. This summary outlines key takeaways from the Opinion.
Identification of all processors and sub-processors: a fundamental responsibility for controllers: In the increasingly complex landscape of data processing, data controllers must ensure they have a comprehensive understanding of all entities involved in processing personal data. The EDPB emphasizes that, irrespective of the processing chain’s complexity, controllers must maintain full awareness of who is processing data on their behalf. This obligation flows from the very concept of “data controller” as the entity that determines both the purposes and the means of data processing. Determining the recipients of personal data, including the processors, is one example of the determination of “essential means”, as the EDPB has clarified in earlier Guidelines (on the concepts of controller and processor in the GDPR (2021)).
The Opinion underscores that processors should proactively inform controllers of any sub-processors they engage, providing relevant details such as identity, address, and contact information. Such transparency allows controllers to oversee the processing activities, meet their legal obligations, and maintain accountability throughout the data processing chain.
Controllers remain accountable for the entire processing chain: A controller’s responsibility does not end once a processor is appointed. The obligation to verify compliance with data protection safeguards extends throughout the entire processing chain, encompassing not only the primary processor but also any sub-processors and entities further down the chain, including sub-sub-processors. The engagement of processors should not lower the level of protection afforded to data subjects compared to a scenario where the controller processes the data directly.
Processors are responsible under GDPR Article 28(4) for ensuring that their sub-processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. However, the controller retains ultimate accountability for the decision on whether to engage a specific sub-processor. The controller may choose to rely on information provided by the processor to verify the sufficiency of the guarantees provided by the sub-processor, but must enhance its verification where necessary — for instance, if the information appears incomplete or raises concerns. When verifying whether the (sub-)processors present sufficient guarantees, controllers have some flexibility in their approach, which should be tailored based on a risk assessment. Lower-risk processing activities may require a lower level of verification, whereas higher-risk activities necessitate a higher level of verification in terms of checking the sufficient guarantees presented by the processing chain. Importantly, this responsibility is ongoing: controllers must regularly verify these guarantees to ensure continuous compliance.
Reviewing sub-processor contracts: a case-by-case assessment: Under the GDPR, data controllers and processors must ensure that sub-processors are subject to the same data protection obligations as those agreed upon between the controller and the initial processor. This helps to maintain a consistent level of data protection throughout the processing chain, even if the sub-processing agreements are not identical, in wording, to the original contract.
Importantly, there is no obligation for controllers to systematically verify all sub-processing contracts. Instead, the need for such a review depends on the specific circumstances of each case. For instance, if there are doubts about the processor’s compliance with legal obligations when engaging a (sub-)processor, or if a supervisory authority requests it, the controller should obtain the contract for review.
Cross-border data transfers: maintaining oversight and compliance: When a processor transfers personal data on behalf of a controller, the controller retains key responsibilities under both Article 44 (General principle for transfers) and Article 28(1) (Processor) of the GDPR. Below are examples of documentation the controller should review and be prepared to present to the competent Supervisory Authority in case of an audit:
- Transfer mapping: this mapping, prepared by the processor, should detail in writing the categories of personal data that are going to be transferred (including through remote access), where the data is transferred, and for what purposes.
- Grounds for transfer: where the processor intends to transfer personal data to a country for which there is no adequacy decision under Article 45 of the GDPR, the controller should assess the appropriateness of the safeguards put in place by the processor.
- Transfer impact assessment (TIA): where applicable, the controller should ensure that the processor carries out a TIA before the transfer. In line with relevant case law and EDPB Recommendation 01/2020, the assessment should involve evaluating laws and practices in the destination country and identifying appropriate supplementary measures.
Controllers must also be able to provide documentation related to transfers subsequent to the initial transfer by the data processor. This requires the controller to obtain information from (sub-)processors/exporters, demonstrating that importers comply with the onward transfer requirements specified in the relevant safeguards.
Contractual requirements with processors: The EDPB recommends including in data processing agreements the clause from Article 28(3)(a) of the GDPR, either verbatim or in very similar terms. The clause stipulates that processors may only process data based on the controller’s instructions, “unless required to do so by Union or Member State law to which the processor is subject.” Inclusion of either this exact wording or similar terms is not strictly required, but it demonstrates a commitment to GDPR compliance. In any event, i.e. even if the data processing agreement does not include a variation of the “unless…” phrase, the agreement must still require the processor to inform the controller if legally compelled to process data contrary to the controller’s instructions.
A controller and a processor may wish to include in their data processing agreement wording that is broader than above – for example “unless required to do so by law or binding order of a governmental body”. The purpose of such provision would be to exonerate the processor from responsibility vis-Ă -vis the controller, in those instances in which a law other than Union or (EEA) Member State law compels the processor to disclose personal data to the authorities in a third country or to otherwise process personal data other than upon the instructions of the controller. The question is whether the inclusion of such an extended exception inherently violates Article 28(3)(a).
The EDPB answered the question in the negative: there is no violation, i.e. the controller and the processor may include a broader exception covering also third country, as this is part of the freedom to contract. However, any such exception must implement appropriate safeguards to remain GDPR-compliant. Standard Contractual Clauses (SCCs) provide useful guidance on this issue, particularly regarding “Local laws and practices affecting compliance with the Clauses” (Clause 14) and “Obligations of the data importer in case of access by public authorities” (Clause 15). For instance, requiring processors to notify controllers of conflicting legal requirements in third countries, assess the demands, and challenge them if necessary helps ensure that controllers remain informed and can decide on appropriate actions, such as suspending transfers if needed.
Conclusion
The EDPB’s Opinion 22/2024 highlights the importance of maintaining accountability across the entire processing chain, emphasizing that data controllers must remain vigilant and informed, even when engaging sub-processors. Controllers should not view the appointment of processors as diminishing their responsibilities; rather, they must continue to uphold the high standards of data protection mandated by the GDPR, ensuring that all processing activities adhere to the data protection principles.