On October 7, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on obligations following from the use of processors and sub-processors (the “Opinion”). The EDPB is the body that seeks to ensure harmonised application of the EU GDPR across the European Economic Area (“EEA”) and is comprised of the heads of the data protection authorities in each EEA state, as well as the European Data Protection Supervisor. The Opinion was rendered in response to questions posed by the Danish supervisory authority to the EDPB concerning controllers’ obligations in respect of processors, as well as specific questions about the wording of processing contracts.
In summary, the Opinion provides that:
- Controllers must have information on the identity of all processors and sub-processors readily available at all times, regardless of the length of the processing chain. This information must include, in respect of each (sub-) processor, the name, address, contact person (name, position, contact details) and description of the processing (including clear delimitation of responsibilities for each entity if more than one processor is involved in the processing activities). This is required to ensure that controllers can comply with their other obligations under the EU GDPR, such as data subjects’ right of access and their transparency obligations. Where there is a processing chain, the initial processor should proactively provide the required information in a manner acceptable to the controller.
- Where a controller’s specific authorisation to engage a sub-processor is required, the controller should provide specific authorisation for each processing activity and the time frame over which the processing will occur. If the controller’s consent is not given within the time frame requested by the processor, such non-response should be taken as the controller not having given consent.
- Where a controller has provided a processor with general authorisation to engage sub-processors, the controller should always have sufficient time to object to additional sub-processors proposed by the processor, and it is the obligation of the initial processor to provide the required information to allow an informed decision.
- The engagement of processors should not lower the level of protection for data subjects. A controller is always obliged to verify that a processor provides “sufficient guarantees” to protect personal data, but the extent of the verification required will vary depending on the nature of the technical and organisational measure. These may be stricter or more extensive depending on the level of risk the processing poses to the data subjects. Where there is a high risk to data subjects, a controller may wish to see sub-processing contracts, or to impose additional requirements on the initial processor to verify that appropriate technical and security measures are in place to protect the personal data. The EDPB states that the initial processor does have a role to play in the choice of sub-processors and in verifying the guarantees they provide, and should supply the controller with this information.
- Where there is an international transfer between processors, the controller should assess and be able to show a relevant supervisory authority the appropriate documentation. This documentation may include a transfer map, the grounds for the transfer, the adequacy decision or appropriate safeguard relied upon, and the transfer impact assessment.
- It is not mandatory to include the words “unless required to do so by Union or Member State law” in processing agreements that comply with Article 28 of the EU GDPR. A contract can never override the law, and it is therefore something of a statement of the obvious. However, the EDPB recommends highly that this wording is included.
- It is permissible to include wording such as “unless required to do so by law or binding order of a governmental body” (i.e. referring to processing required to be carried out by a (sub-) processor outside of the scope of the documented instructions in accordance with third country law). This wording does not infringe Art 28(3)(a) per se, but it does not exonerate a processor from complying with its obligations under the EU GDPR (if it is covered by the EU GDPR). Where there is an international transfer of personal data to a (sub-) processor that is not covered by EU GDPR, wording such as the above included in a contract cannot be used by the (sub-) processor to permit the processing data in accordance with a third country law where that would undermine the level of protection afforded by the EU GDPR. Parties should consider whether third country law impedes compliance with the EU GDPR before entering into any processing contract. The inclusion of words such as the above does not constitute a documented instruction of the controller to process data in accordance with third country law or a binding order of a third country governmental body.
The Opinion serves as a helpful reminder to companies that the reliance on processors and sub-processors does not absolve controllers from their responsibilities to protect personal data. It is common for processing chains to be long, and the verification and documentation requirements imposed by the EU GDPR, and reiterated in the Opinion, can be onerous. The Opinion nevertheless makes it clear that these obligations must be complied with, and controllers would be advised to consider whether they have all of the relevant information and verification required in respect of third parties processing personal data on their behalf.