Latest EDPB Opinion: What You Need to Know About Using Processors and Sub-Processors

On October 9, 2024, the European Data Protection Board (“EDPB”) issued an Opinion 22/2024, offering guidance on the use of processors and sub-processors by controllers. Here are the key takeaways:

If Your Business Acts as a Controller

  • You Make the Final Call: Your processor might recommend using a particular sub-processor, but the ultimate decision rests with you. You’re responsible for ensuring that sufficient guarantees are in place with your processor to ensure the sub-processors protect the rights of data subjects under Article 28(1).
  • Keep Information to Hand: If your processor relies on sub-processors to process data for you, you need to have detailed information about them readily available. This includes their name, address, and a contact person. It’s not just for good practice—it is needed to ensure compliance with Article 28(1) of the GDPR (i.e., to ensure you have the requisite information when approached by a supervisory authority or a data subject).
  • Trust, but Verify: You’re allowed to rely on information from your processors regarding sub-processors without conducting your own review, but when the processing presents a high risk to the rights and freedoms of data subjects —you should double-check. This doesn’t mean you need to systematically review all sub-processing contracts (although you may determine this is needed) but you should assess on a case-by-case basis whether you need to review specific agreements and information to ensure sufficient guarantees are in place.
  • International Data Transfers: If personal data is being sent outside the European Economic Area (“EEA”) between two sub-processors, you are still subject to your duties under Article 28(1) to ensure the level of protection is not undermined by an international transfer. You may conduct a higher level verification of your sub-processors to ensure they remain in compliance with Article 28(1).

If Your Business Acts as a Processor

  • Be Proactive: If you’re acting as a processor, it’s important to keep your clients (the controllers) informed. You should proactively provide them with all relevant information about any sub-processors you use and the guarantees they provide to you. Transparency helps build trust and ensures everyone knows how data is being handled. For example, periodically updating sub-processors lists made available to controllers is good practice.
  • Liability Matters: If the sub-processor agreement doesn’t contain the same data protection obligations as the contract with the controller, you remain fully liable to the controller for the sub-processor’s failure. This is made clear in GDPR Article 28(4), so it’s crucial that your sub-processors follow the same data protection standards you have agreed to follow with the controller.
  • Keep Hold of Documents: You have a duty to make available to your controller all information necessary to demonstrate compliance with the GDPR as per Article 28(3)(h).

 Drafting Contracts with Controllers, Processors and Sub-Processors

  • EPDB’s Recommended Drafting: When drafting controller-processor contracts, the key principle is that the processor can only process data according to the instructions provided by the controller, unless they are required to act differently by Union or Member State law. Including wording such as “unless required by Union or Member State law” is highly recommended by the EDPB to ensure that the contract is in line with the GDPR.
  • Navigating Third-Country Risks: If two sub-processor contracts involve third countries (outside the EEA) take extra caution. The EDPB highlights that some non-EEA laws may not meet the GDPR’s high standards for protecting personal data. Therefore, before entering into a contract, assess whether third-country laws could undermine the protection guaranteed by GDPR, and ensure the contract reflects these considerations.

Summary of the Key Takeaways

Ultimately, the EDPB’s Opinion 22/2024 highlights that controllers are responsible for ensuring processors and sub-processors comply with GDPR. Controllers must have detailed information on their processors, verify compliance in high-risk situations, and ensure proper safeguards for international data transfers. Processors, on the other hand, need to be transparent with controllers, ensure they also comply with GDPR standards, and contract with sub-processors on the same terms as they did with their controller.

At Goodwin, we are dedicated to helping companies navigate the complexities of their data protection requirements, in the EU, UK and globally. We have experts who understand the challenges posed by these laws. Goodwin provides tailored support to help businesses anticipate and meet their obligations.