Controllers, processors and subprocessors in chains

On 7 Oct., the European Data Protection Board adopted Opinion 22/2024 "on certain obligations following from the reliance on processor(s) and sub-processor(s)."  It works through a number of tricky areas affecting controller-processor-subprocessor relationships.

According to the EDPB, processors must provide details of every subprocessor down the chain to the ultimate controller, along with associated information about processing. Further, the opinion explains the controller has an obligation to check that all of these can meet GDPR obligations. This is true irrespective of the risk posed by the processing, although it may affect the extent of verification carried out by the controller. The controller must also check for safeguards in the case of onward transfers.

The opinion also provides the language in contracts that allow processors to process data as instructed by the controller or as required by law applicable to the processor, which does not cut through the issue for the processor — but neither is the language offensive as a matter of principle. As this point occurs in almost every Article 28 agreement, it is considered first in the more detailed note below.

Although the opinion goes to great lengths to underline that ultimate responsibility rests on the controllers, in practice controllers will only be able to operationalize these obligations if processors provide them with the necessary information and tools. There is much for processors, as well as for controllers, to do here.

Following instructions unless applicable law requires otherwise