On 7 Oct., the European Data Protection Board adopted Opinion 22/2024 "on certain obligations following from the reliance on processor(s) and sub-processor(s)." It works through a number of tricky areas affecting controller-processor-subprocessor relationships.
According to the EDPB, processors must provide details of every subprocessor down the chain to the ultimate controller, along with associated information about processing. Further, the opinion explains the controller has an obligation to check that all of these can meet GDPR obligations. This is true irrespective of the risk posed by the processing, although it may affect the extent of verification carried out by the controller. The controller must also check for safeguards in the case of onward transfers.
The opinion also provides the language in contracts that allow processors to process data as instructed by the controller or as required by law applicable to the processor, which does not cut through the issue for the processor — but neither is the language offensive as a matter of principle. As this point occurs in almost every Article 28 agreement, it is considered first in the more detailed note below.
Although the opinion goes to great lengths to underline that ultimate responsibility rests on the controllers, in practice controllers will only be able to operationalize these obligations if processors provide them with the necessary information and tools. There is much for processors, as well as for controllers, to do here.
Following instructions unless applicable law requires otherwise
Article 28(3)(a) of the EU General Data Protection Regulation provides that a processor must only process personal data upon documented instruction of the controller. However, there is an exception for situations in which the processor is required to process personal data to meet legal obligations placed on it under EU or member state law. For U.K. readers, the U.K. provision is the same but refers to U.K. domestic law.
In practice, if processors must process personal data to comply with requirements under other non-EU, laws, they will want to ensure they can do so without also being in breach of contract. As a result, almost all standard-form data processing agreements offered by suppliers extend the Article 28(3)(a) wording to state the processor is allowed to process data if required to do so by applicable law. The Denmark's data protection authority, Datatilsynet, asked for the EDPB's view on whether this drafting, as a matter of principle, violates the GDPR.
The EDPB concluded this wording does not automatically breach GDPR — phew!
However, the EDPB also concluded the wording actually does not help the processor either. Data processing agreements stipulate processors can only process data as "instructed" and, per the EDPB, instructions have to be "sufficiently precise to cover a specific processing of personal data." In the EDPB's view, this is not the case with the drafting.
This argument seems weak; it is not clear why this type of instruction cannot precisely cover the processing. More rigorously, the EDPB also concluded it is not tenable to claim that the processor is only carrying out the processing to comply with the controller's instructions, as the controller would have to comply with obligations applicable to it irrespective of these instructions.
The EDPB also considers whether contracts must repeat Article 28(3)(a) verbatim to avoid noncompliance, i.e., whether they must copy out the language "unless required" by EU or member state law. The EDPB concluded this is highly recommended but not strictly required.
The board also addresses the wider question of how controllers and processors should tackle the issue of "third country" legal requirements. Here, the EDPB noted it depends on the nature of those legal requirements: Do they respect the essence of the fundamental rights and freedoms enshrined in the Treaty on the Functioning of the European Union, the Charter of Fundamental Rights of the European Union and the GDPR without exceeding what is necessary and proportionate in a democratic society to safeguard objectives permitted under GDPR Article 23(1).
This cannot be addressed by blanket references to all laws or binding requirements. The EDPB referred to standard contractual clauses for international transfers to illustrate how this should be assessed.
Listing subprocessors: How far down the chain should go you?
Processors are only allowed to engage subprocessors when there is specific or general authorization from the controller. It is typical to deal with this via a list of approved subprocessors in the data processing agreement that is also made available online, through which proposed changes can be notified to controllers. Most subprocessors, in turn, also appoint subprocessors, etc.
A recurring question for processors is how far down the chain the list of approved subprocessors should go. Predictably, EDPB says the whole chain should be included in the list, which should also include name, address, contact person and description of processing.
The EDPB also links this to the European Court of Justice's decision in RW v. Österreichische Post AG, which notes subject access requests mean the controller has to provide the data subject with details about the actual identity of the recipients of the data subject's data. The EDPB noted this means it is necessary for the controller to be able to retrieve the details of the full chain of subprocessors so they can be provided to data subjects. The board also noted data subjects have a right to be informed of specific recipients in the context of erasure and rectification requests.
While it may seem to follow the Österreichische Post decision, it is difficult to see how this level of proactive disclosure will either be useful for data subjects or readily achievable for controllers. Proactive disclosures at this level only seem possible via online portals, where the disclosures can be generated in an automated manner. This will be difficult for all controllers to achieve and likely completely out of reach for small and medium-size enterprises that often rely extensively on software-as-a-service providers — where long chains of subprocessing are usual — to help them scale and expand.
Subprocessor due diligence: What do controllers have to do?
Article 28(1) provides that a controller may only use processors that provide "sufficient guarantees" their processing will comply with the GDPR and protect individual rights. That processor may, of course, only engage another processor with the authorization of the controller. Datatilsynet posed a series of questions about the extent to which these combined provisions, and the accountability principle under Articles 5(2) and 24, mean the controller should be checking for guarantees and compliance in respect of the subprocessors.
First, the EDPB reiterated that the controller is obligated to check the guarantees of compliance offered by the initial processor, suggesting this could be a mixture of questionnaires, public documents, certifications and audit reports, or document review.
Datatilsynet asked if Article 24, which accepts that appropriate compliance measures can be responsive to the risks posed, meant the obligation would not always apply so far as subprocessors are concerned. For example, if it would differ for high versus low-risk subprocessors. The EDPB answered that the obligation to verify if there are sufficient guarantees always applies, irrespective of risk.
However, risk is relevant to the extent of the verification. The EDPB noted the controller does not always have to systematically check every contract between the main processor and its subprocessors.
In practice, controllers will need to rely heavily on the due diligence carried out by the main service provider. The EDPB acknowledged the main service providers' role and liability but also underlined that, irrespective of this, the controller has final responsibility.
What happens when data transfers are added to the mix?
Here, the EDPB reiterated its earlier guidance: The controller has to consider the risks of onward transfers that occur throughout the chain, even if the actual transfer is effected by the processor to a subprocessor rather than the controller transferring the data. This will involve considering data mapping, information about the grounds relied on to provide appropriate protection, the transfer impact assessment and any supplemental measures in place.
Although the EDPB emphasized controllers have ultimate responsibility for this, it accepted that the processor has a role to play here. In practice, controllers have to depend extremely heavily on the white papers and FAQs provided by their processors in this area. Many, certainly larger, processors already have materials along the lines suggested by the EDPB, although it would be sensible to check these against the suggestions in the opinion.
The EDPB suggested the obligation to consider transfer impact assessments down the chain even extends to transfers made from an adequate country. Readers will be aware onward transfer rules are an area of intense scrutiny for the European Commission in adequacy decisions. It would seem logical to conclude, if the Commission has considered these and assessed them to be adequate, there is no need for others to undertake the same exercise.
However, the EDPB's view is that this only excuses controllers from the need to assess the legal framework for transfers in the adequate country. They still have the burden of checking that there are "sufficient guarantees" for onward transfers from the adequate country. It does not seem clear if this means applying the EU standard or the standard in the third country. The fact that the opinion refers to "sufficient guarantees," lifted straight from GDPR Article 28(1) and in quotation marks, perhaps suggests the EDPB is also none the wiser on what this means in practice.
Ruth Boardman is a partner and the co-head of the International Data Protection Practice at Bird & Bird.