Reason for this Opinion
Opinion 22/2024 arose from a request by the Danish Data Protection Authority (DPA) for guidance from the EDPB under Article 64(2) GDPR. This procedure allows national data protection authorities to seek EDPB opinions on matters of ‘general application or producing effects in more than one EU Member State’ (as was accepted by the EDPB to be the case in respect of the Danish DPA’s questions).
The Danish DPA posed several questions to the EDPB, focusing on scenarios where a controller engages a processor, that in turn engages other (sub-)processors under Article 28 GDPR. The questions addressed various aspects of such (sub-)processing chains and the related accountability obligations of controllers.
Notably, the Opinion was issued without the usual public consultation that precedes the adoption of EDPB Guidelines because it is not required for opinions issued by the EDPB under the Art. 64 procedure, so it may have come across as a bit of surprise to controllers and processors alike.
Key findings of the EDPB
- Identification of actors in the processing chain: The Opinion addresses the extent to which processors must disclose all sub-processors engaged in a processing chain under the requirement, among others, to obtain specific or general authorisation for sub-processors in Article 28(2) GDPR. This boils down to whether it is sufficient to only disclose the first line of sub-processors, or whether the sub-processor’s sub-processors (and so on further down the chain) also need to be disclosed as part of a specific or general authorization mechanism.
On the face of it and perhaps unsurprisingly, the EDPB takes a rather strict stance, stating that ‘the processor should proactively provide to the controller all information on the identity of all processors, sub-processors etc. processing on behalf of the controller, and should keep this information regarding all engaged sub-processors up to date at all times.’
In practice, this essentially means that the EDPB expects that the identity of all processors in a processing chain must be accessible to the controller. However, the EDPB acknowledges that it is open for the controller and processor to agree between them how and in which format this information can be made available, which leaves some room for flexibility in meeting this requirement.
- Verification and documentation of sufficient guarantees: Under Art. 28(1) GDPR, controllers must engage processors that provide ‘sufficient guarantees’ for implementing appropriate measures to ensure GDPR compliance and protect data subjects' rights, regardless of the risk level associated with the relevant processing activities. However, the EDPB acknowledges that the extent of verification required will vary, depending on the level of risk involved and, therefore, the nature of the technical and organizational measures needed.
- Verification of sub-processor contracts: The initial processor should propose only those sub-processors that offer sufficient guarantees regarding technical and organizational measures. However, ultimate responsibility for verifying these guarantees lies with the controller. The controller must be able to demonstrate that it has verified the sufficiency of guarantees provided by its (sub-)processors. Further, the level of verification should be increased for high-risk processing.
Crucially, The EDPB specifies that controllers need not systematically ask for every sub-processing contract to check that the data protection obligations in their initial contract with the processor have been carried down the chain, and the requirements should be assessed on a case-by-case basis. Rather, the controller may rely on information provided by the initial processor if the information submitted by the processor actually demonstrates compliance.
- Onward transfers: Controllers remain responsible for ensuring sufficient guarantees that personal data will be protected when the data is transferred outside the EEA between processors (even if the initial processor engaged by the controller is based in the EEA). This includes conducting Transfer Impact Assessments (TIAs) to evaluate the legal and practical implications of such onward transfers. In practical terms, this means that an exporting processor should assist the controller by preparing the relevant paperwork, which the controller can assess and rely on for the purposes of its own TIA.
- Contract language on documented instructions: The EDPB discusses the requirement for processors to process personal data only in accordance with documented instructions from the controller, unless they are ‘required to by Union or Member State law to which the processor is subject’ (Art. 28(3)(a) GDPR). While it is highly recommended to include language reflecting this requirement, it is not mandatory and parties retain the freedom to tailor controller-processor contracts, as needed within the limits of Article 28(3) GDPR.
The EDPB concludes that alternative wording such as ‘unless required to do so by law or binding order of a governmental body' does not infringe Article 28 GDPR but it does not exonerate the controller and processor from their obligations under the GDPR. Further, this alternative wording cannot be construed as a documented instruction by the controller to process data.
What is the practical impact of the Opinion?
The EDPB Opinion is not a draft and is immediately applicable. However, it is not legally binding and instead provides guidance for how the GDPR should be applied in the view of the EU data protection authorities. National data protection authorities will consider this Opinion when applying the GDPR, such as during investigations and other enforcement procedures. Consequently, both controllers and processors should take into account the views expressed by the EDPB as part of their data protection management systems and GDPR compliance efforts. The key points to consider are set out below.
Identification of sub-processors
Companies should pay particular attention to the EDPB’s requirement that controllers be able to identify all processors involved in a (sub-)processing chain at any given time. At first glance, this could be understood as adding a new layer of responsibility for controllers to maintain records of their entire (sub-)processing chains. However, the Opinion allows for a degree of discretion in how controllers and processors met these requirements.
Controllers should first assess how their current contracts with processors support compliance with this requirement. If current practices fall short, they should establish a new mechanism for having access to the necessary information and to an appropriate level of detail (i.e., providing the name, address, contact person and description of processing for each (sub-)processor in the chain).
While the Opinion frames responsibility as sitting with controllers, their ability to comply depends on the information provided by the processor(s). Therefore, processors and sub-processors should creatively consider how they document the identities of their own sub-processors and maintain effective mechanisms for sharing up-to-date lists with controllers upon request.
Verification procedures
Controllers should review their verification procedures to ensure they have appropriate checks and balances in place. A sufficient paper-trail of the verification process should exist to demonstrate compliance with the GDPR to investigating authorities.
Due diligence must be clear for all processing, with heightened scrutiny for high-risk processing activities. Controllers can rely on information about a sub-processor provided by the processor, but they are responsible for verifying any incomplete or inaccurate information. Ultimately the controller bears the responsibility for proving that each sub-processor provides sufficient guarantees.
Data transfers
Regarding onward transfers of personal data, controllers must verify their arrangements with any processors (and sub-processors) exporting data outside the EEA. While the logistics of the transfer can be managed by the exporting processor, controllers must ensure that sufficient guarantees regarding technical and organizational measures are in place for all sub-processors in the processing chain. TIAs therefore should be part of the controller's due diligence process.
Conclusion
While the Opinion is not legally binding as written, it will significantly influence the expectations placed on controllers regarding their (sub-)processing chains. This serves as a reminder for controllers to establish clear arrangements that enable them to identify and verify guarantees provided by each entity in the chain. Processors, in turn, should ensure that the information they provide to controllers is accurate, is kept up-to-date, and is sufficiently detailed. As a result, companies can anticipate a heightened focus on these mechanisms and tighter contract language regarding the purposes of processing in future controller-processor agreements.
Authored by Dr. Henrik Hanssen, Katie McMullan, Bret Cohen, Dr. Stefan Schuppert, and Eduardo Ustaran.
