In today’s digital landscape, organisations heavily rely on third-party service providers for processing personal data. These service providers, e.g. cloud service or software providers, often engage further service providers, thereby creating a data processing chain. Ensuring compliance with the EU General Data Protection Regulation (GDPR) along these chains is a crucial task for businesses.
The European Data Protection Board (EDPB) Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s) (Opinion) from 7 October 2024 answers questions raised by the Danish supervisory authority on GDPR requirements with regard to monitoring such processing chains. The precise extent of certain GDPR obligations has been contentious, especially in light of the first coordinated enforcement action in 2022 concerning cloud-based services by the public sector.
This blog post briefly introduces the relevant data protection roles (ie controllers, processors, and sub-processors) to outline the three key aspects of the Opinion on responsibilities in relation to service providers under the GDPR.
Data protection roles in processing chains: Controller, processor and sub-processor
The GDPR places the main responsibility for data protection compliance on the organisation that determines the purposes and means of processing and is therefore considered as controller. This overall responsibility of a controller remains when data processing is carried out on the controller’s behalf by a third-party service provider which is processor.
Processors are service providers which, in principle, exclusively process personal data provided by a controller upon the controller’s instructions. They must implement technical and organisational measures that ensure data protection compliance and provide the controller with sufficient safeguards in this regard.
In many cases, processors involve other service providers which are considered as sub-processors in order to assist them with the processing of data provided by the controller. This adds another layer of complexity, as the controller's obligations extend to ensuring that the sub-processors provide the same level of data protection as the processor.
Identification of sub-processors in the supply chain
The first key aspect of the Opinion concerns whether and how a controller must identify and document its sub-processors along the processing chain. The Danish supervisory authority specifically asked:
Must the controller identify all of the processor’s sub-processors, their sub-processors, etc. throughout the processing chain, or only identify the first line of sub-processors engaged by the processor?
According to the EDPB, controllers should have easy access to the information of all sub-processors throughout the processing chain. The EDPB’s position is arguably stricter than frequent market practice, where controllers often only identify the first line of sub-processors.
The EDPB highlights that sufficient identification is an important element for the controller to be able to exercise control over its processing activities, especially in the event of personal data breaches. Furthermore, GDPR provisions related to transparency (eg Article 15 GDPR) require that such information is available to the controller. Therefore, the EDPB considers that the following information is required for all sub-processors beyond the first line:
- Contact details, including the name and address of the sub-processor and its contact person.
- Description of the processing, including a clear delimitation of responsibilities in case several sub-processors are authorised.
Verifying and documenting the sufficiency of safeguards in the supply chain
As second key aspect, the EDPB sets out in the Opinion the extent to which controllers must verify and document the sufficiency of safeguards provided by processors along the processing chain, i.e. with respect to processors as well as sub-processors.
The EDPB states that the controller should consider several elements and, depending on the risk associated with the data processing, review relevant documentation (eg publicly available information, privacy policies, or certifications of sub-processors). The controller may also adopt stricter or more extensive technical and organisational measures for high-risk activities (e.g. concerning special categories of personal data), such as:
- Verifying and documenting sub-processing contracts; and
- Imposing obligations on the processor to verify and document sub-processing contracts.
In this regard, the EDPB notes that supervisory authorities should assess whether a controller is able to demonstrate that it has verified the (contractual) safeguards provided by its sub-processors and came to a positive result. However, the controller is not required to systematically request all data (sub-)processing agreements. Instead, it may choose on a case-by-case basis to rely on the information received from the processor as its contractual partner. Where the information received appears to be incomplete, inaccurate or raises questions, however, the EDPB considers that the controller should request and verify additional information from the processor.
Overall, the EDPB’s position is underpinned by the concept that the use of processors should not reduce the level of protection for the rights of data subjects, compared to the situation where the processing is carried out directly by the controller. The controller should therefore exercise careful due diligence when selecting and overseeing sub-processors.
More clarity regarding the exclusion from instruction-based processing of the processor
The third key aspect of the Opinion concerns the wording of data processing agreements between a controller and its processor. In principle, a processor may only process data on the basis of documented instructions from the controller. However, the GDPR provides an exception allowing processors to lawfully process personal data explicitly if ‘EU or Member State law’ requires them to do so (Article 28(3)(a) EU GDPR).
In this context, the EDPB argues, contrary to the previously articulated view of some national supervisory authorities, that an exception clause in data processing agreements that is not limited to EU or Member State law is not per se contrary to the GDPR. While the EDPB recommends such inclusion to demonstrate compliance, it recognises the contractual freedom to agree different language, in particular due to other GDPR safeguards (eg information obligations).
However, where different language is used, GDPR compliance depends on whether the law of third countries outside the EU is relevant to the processing by controllers, processors or sub-processors. Where such third country law may apply, the controller should assess whether the level of data protection meets GDPR requirements considering appropriate safeguards for transfers (eg adequacy decisions, standard contractual clauses and transfer impact assessments).
Conclusion
The EDPB provides guidance on the complex responsibilities of controllers, processors and sub-processors under the GDPR. Overall, the positions of the EDPB are stricter than common practice of most organisations – the only exception is the provided flexibility regarding the language on instruction-based processing in data processing agreements. National supervisory authorities will take this Opinion into account when enforcing the GDPR rules on supply chains. Therefore, whether acting as controller, processor or sub-processor, organisations should assess whether their data processing agreements, documentation and processes generally meet the principles described in the Opinion.