On 7 October 2024, the European Data Protection Board (EDPB) issued its Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s). Building on its earlier Guidelines 07/2020 on the concepts of controller and processor, the EDPB addresses more in detail the relationship between controllers and their processors or sub-processors (who process personal data under instruction and on behalf of respectively a controller or a processor).
First, the EDPB clarifies the controllers’ accountability obligations under the GDPR and the level of verification expected from controllers when working with (sub-)processors. Second, the EDPB provides more guidance on the wording of data processing agreements regarding the situation where a processor is legally required to process personal data, irrespective of the instructions of the controller.
Below, we give an overview of the most important take-aways for companies who (intend to) subcontract their processing of personal data.
1. Responsibilities of the controller regarding processors and sub-processors
1.1. Identification of all (sub-)processors in the chain
Under the GDPR, any engagement of additional processors by an initial processor requires the (specific or general) written authorization of the controller: the controller must either agree with the initial processor on all sub-processors to be engaged or approve of an initial list of sub-processors with the possibility to object to further changes. Furthermore, data subjects can request access to the exact identity of the recipients to whom their personal data have been or will be disclosed, including any processor involved.
The identification of all actors involved in data processing is thus essential for the controller to be able to exercise control over the processing activities, to respond to data breaches along the processing chain or to address data subject access requests. Therefore, controllers should have the information on the identity (i.e., name, address, contact person) of all processors and sub-processors readily available at all times, regardless of the risk associated with the processing activity. According to the EDPB, the initial processor should communicate these details proactively and keep them up to date at all times.
1.2. Verification and documentation of sufficient guarantees throughout the chain
Controllers may only engage processors who provide sufficient guarantees that the processing activities will be conducted in a GDPR-compliant manner, particularly in terms of appropriate technical and organisational measures. In other words, the controller must ensure that the engagement of a given processor does not lower the level of data protection compared to a situation where the processing would be carried out by the controller itself.
The EDPB emphasizes that the verification obligation of the controller applies to all (sub-) processors in the chain, regardless of the risk associated with the processing activity: it is up to the controller to verify whether the processors, sub-processors, sub-sub-processors etc. present sufficient guarantees to implement the measures determined by the controller. However, the extent of such verification may vary depending on the risk associated with the processing: the controller may define stricter or more extensive technical and organisation measures when the processing constitutes a higher risk to the rights and freedoms of data subjects (e.g., when special category data are being processed). Furthermore, the verification obligation is a continuous obligation: the controller should at appropriate intervals verify the processor’s guarantees, including through audits and inspections where appropriate.
As concerns the selection of and oversight over initial processors, controllers need to perform a due diligence taking into account several elements such as the processor’s knowledge, reliability, resources, reputation and adherence to an approved code of conduct or certification mechanism. Such due diligence exercise necessarily involves the exchange of relevant information to be documented by the controller. Depending on the specific circumstances of the processing, the existence of sufficient guarantees can be demonstrated, inter alia, through:
- a questionnaire drawn up by the controller;
- the processor’s privacy policies, terms of service, records of processing activities, records management policies, information security policies or other relevant documentation;
- publicly available information about the processor;
- certifications or audit reports from trustworthy third parties; and/or
- performance of on-site audits.
With regard to sub-processors engaged by an initial processor, controllers are certainly not obliged to systematically review every sub-processor contract in order to verify whether the sub-processor presents sufficient guarantees for GDPR compliance; controllers should rather assess on a case-by-case basis whether requesting a copy of a sub-processor contract is necessary. The EDPB acknowledges that controllers may rely on the information received from the initial processor and, if necessary, ask for additional information and/or verify the information. The initial processor has an important role to play in the choice of the sub-processors and in verifying the guarantees they provide, and should therefore provide the controller with sufficient information. After all, the initial processor remains fully liable to the controller for the performance of the sub-processors’ obligations.
However, the ultimate decision on whether to engage a specific sub-processor and the pertaining responsibility, including with respect to verifying the sufficiency of the guarantees provided by the sub-processor, remains with the controller. In this regard, the extent of the controller’s verification obligation will again depend on the risk associated with the processing (supra). In case of a higher risk, the controller may therefore have to increase the level of its verification along the entire processing chain by verifying the sub-processing contracts by itself and/or impose on the initial processor an extended verification and documentation obligation.
1.3. Verification and documentation of sufficient guarantees in case of data transfers
Except when required by law (infra), a transfer of personal data outside of the European Economic Area (EEA) is only possible on the basis of documented instructions from the controller and in compliance with the relevant provisions of the GDPR. It is up to the controller to decide on whether a transfer of personal data outside of the EEA is possible as part of the processing activities entrusted to the (sub-)processors.
Where a processor exports personal data to another processor along the chain on behalf of the controller, the controller still bears the responsibility (i) to ensure that the level of data protection under GDPR is not undermined by the transfer and (ii) to verify whether the (sub-)processors present sufficient guarantees to implement the measures determined by the controller. Practical difficulties concerning control over the engagement of sub-processors – which could render it difficult for the controller to verify the sufficient guarantees, especially in case of transfers to third countries – do not exonerate the controller from its responsibilities in the processing chain. The controller needs to obtain and assess all relevant information in order to issue the required instructions for a transfer in a GDPR compliant way.
The controller may rely on the information received from the exporting processor and if necessary build on it. In this respect, the controller should be able to assess – and be able to show to the competent supervisory authorities – the following (non-exhaustive) documentation, before any transfer takes place:
- transfer mapping: the controller should ensure that a mapping is carried out by the exporting processor, setting out which personal data are being transferred, whereto and for which purposes; and
- the ground for the transfer used and – where applicable - the transfer impact assessment and supplementary measures: where a transfer is carried out by a (sub-) processor on behalf of the controller on the basis of an adequacy decision, the controller should verify (i) whether the adequacy decision is in force, (ii) whether the transfer in question falls within the scope of this decision and (iii) whether the (sub-)processor provides for sufficient guarantees also with respect to onward transfers carried out by a (sub-)processor from the adequate country to another third country. In the absence of an adequacy decision, the controller should assess (i) the appropriate safeguards put in place, (ii) the transfer impact assessment or other supplementary measures and (iii) whether the (sub-) processor provides for sufficient guarantees that in case of onward transfers, the importing processors actually comply with the requirements for onward transfers as laid down in the appropriate safeguards instrument.
Again, the verification obligation applies regardless of the risk of the associated processing activity, but the extent of the obligation will in practice vary depending on the risk: the existence of a transfer to third countries along the processing chain may increase the risk arising from the processing and thus have an impact on the ‘appropriate’ measures determined by the controller.
2. Processing only on documented instructions from the controller, unless required by (eu or national) law
Any processing of personal data by a processor must be governed by an agreement (or other EU or national legal act) between the controller and the processor. Under the GDPR, this data processing agreement must stipulate that the processor shall process the personal data only on documented instructions from the controller, “unless required to do so by Union or Member State law to which the processor is subject”. In the latter case, the processor is obliged to inform the controller of such legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The question arises whether a data processing agreement must explicitly refer to the legal requirement exception (either verbatim or in very similar words) or whether the data processing agreement can also refer to third country law.
Based on the general principles that contracts cannot override mandatory law and cannot bind third parties (such as public authorities), the EDPB clarifies that including the words “unless required to do so by Union or Member State law to which the processor is subject” is highly recommended but not strictly necessary. However, it is still mandatory to include a contractual obligation to inform the controller when the processor is legally required to process personal data other than upon the controller’s instructions.
The EDPB further acknowledges that in the context of data transfers, legal requirements may also arise from legislation other than EU or Member State law. In this respect, data processing agreements often stipulate that processors are allowed to process personal data when required by any law or binding order of a governmental body.
According to the EDPB, including provisions that address third-country law requirements to process personal data does not in and of itself constitute a breach of the GDPR. However, a reference to third-country law does not relieve the controller or the processor from their obligations under the GDPR, in particular regarding the information to be provided to the controller and – where applicable – the conditions for international transfers of personal data processed on behalf of the controller. With respect to processing outside the EEA, the data processing agreement will need to provide that only third-country laws which ensure an essentially equivalent level of protection as the GDPR may require processing by the processor and that the processor will implement supplementary measures if necessary.
Any reference in the data processing agreement to a legal requirement – whether it refers to EU, Member State or third-country law – can in no event be considered as a documented instruction of the controller. According to the EDPB, an instruction constitutes a specific request of the controller addressing what processing the processor is expected to do and how. Such instruction must be sufficiently precise to cover a specific processing of personal data and the controller should at all times be able to withdraw the instruction. By contrast, the controller’s influence on data processing ceases where the processing is required by EU, Member State or, for processing outside the EEA, third-country law.
3. Conclusion
The Guidelines underline the controller’s duty to identify all actors in the data processing chain and check and document GDPR compliance throughout the chain, and the processor’s corresponding duty to provide the necessary information about itself and its subcontractors to the controller. Furthermore, it is clear that third-country law requirements to process personal data and the contractual freedom of controllers and processors cannot jeopardize the level of protection under the GDPR, especially in case of data transfers.
Lydian’s Information Governance & Data Protection (Privacy) Team is at your service for any further questions you may have regarding controller-processor relations and data processing agreements.
