Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)

• Jurisdiction: European Union
• Year: 2024
• Date: 09 October 2024
• Type of Document: Opinion

Adopted 1

Opinion 22/2024 on certain obligations following from the

reliance on processor(s) and sub-processor(s)

Adopted on 7 October 2024

Adopted 2

Executive summary

The Danish SA requested the EDPB to issue an opinion on matters o f general application pursuant to

Article 64(2) GDPR. The opinion contributes to a harmonised interpretation by the national supervisory

authorities of certain aspects of Article 28 GDPR, where appropriate in conjunction with Chapter V

GDPR. In particular, the opinion addresses questions on the interpretation of certain duties of

controllers relying on processors and sub-processors, arising in particular from Article 28 GDPR, as well

as the wording of controller-processor contracts. The questions address processing of personal data in

the EEA as well processing following a transfer to a third country.

The Board concludes in this opinion that controllers should have the information on the identity (i.e.

name, address, contact person) of all processors, sub-processors etc. readily available at all times so

that they can best fulfil their obligations under Article 28 GDPR, regardless of the risk associated with

the processing activity. To this end, the processor should proactively provide to the controller all this

information and should keep them up to date at all times.

Article 28(1) GDPR provides that c ontrollers have the obligation to engage processors providing

‘sufficient guarantees’ to implement ‘appropriate’ measures in such a manner that the processing will

meet the requirements of the GDPR and ensure the protection of the rights of data subjects. The EDPB

considers, in its opini on, that when assessing compliance of controllers with this obligation and with

the accountability principle (Article 24(1) GDPR), SAs should consider that the eng agement of

processors should not lower the level of protection for the rights of data subjects. The controller’s

obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ to implement the

appropriate measures determined by the controller should apply regardless of t he risk to the rights

and freedoms of data subjects. However, the extent of such verification will in practice vary depending

on the nature of these technical and organisational measures, which may be stricter or more extensive

depending on the level of such risk.

The EDPB further specifies in the opinion that while the initial processor should ensure that it proposes

sub-processors providing sufficient guarantees, the ultimate decision on whether to engage a specific

sub-processor and the pertaining responsibility, including with respect to verifying the guarantees,

remains with the controller. SAs should assess whether the controller is able to dem onstrate that the

verification of the sufficiency of the guarantees provided by its (sub-)processors has taken place to the

controller’s satisfaction. The controller may choose to rely on the information received from its

processor and bui ld on it if needed (for example, where it seems incomplete, inaccurate or raises

questions). More specifically, for processing presenting a high risk to the rights and freedoms of data

subjects, the controller should increase its level of ve rification in terms of checking the information

provided. In that regard, the EDPB considers that under the GDPR the controller does not have a duty

to systematically ask for the sub-processing contracts to check whether the data protection obligations

provided for in the initial contract have been passed down the processing chain. The controller should

assess, on a case-by-case basis, whether requesting a copy of such contracts or reviewing them at any

time is necessary for it to be able to demonstrate compliance in light of the principle of accountability.

Where transfers of personal data out side of the EEA t ake place between two (sub-)processors, in

accordance with the controller’s instructions, the controller is still subject to the duties stemming from

Adopted 3

Article 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Article 44 to ensure that the level

of protection guaranteed by the GDPR is not undermined by transfers o f personal data. The

processor/exporter should p repare the relevant documentation, in line with the case -law and as

explained in EDPB Recommendations 01/2020. T he controller should assess and be able to show to

the competent SA such documentation. The controller may rely on the documentation or information

received from the processor/exporter and if necessary build on it. The extent and nature of the

controller’s duty to assess this documentation may depend on the ground used for the t ransfer and

whether the transfer constitutes an initial or onward transfer.

The EDPB also addressed, in the opinion, a question on the wording of controller-processor contracts.

In this respect, a basic element is the commitment for the processor to process personal data only on

documented instructions from the controller, unless the processor is “required to [process] by Union

or Member State law to which the processor is subject” (Article 28(3)(a) GDPR) - recalling the general

principle that contracts cannot override the law. In light of the contractual freedom afforded to the

parties to tailor their controller- processor contract to th eir circumstances, within the limits of Article

28(3) GDPR, the EDPB takes the view that including the words “ unless required to do so by Union or

Member State law to which the processor is subject” (either verbatim or in very similar terms) is highly

recommended but not mandatory.

As to variants similar to “unless required to do so by law or binding order of a governmental body” the

EDPB takes the view that this remains within prerogative of the contractual freedom of the parties and

does not infringe Article 28(3)(a) GDPR per se. At the same time the EDPB identifies a number of issues

in its opinion, as such a clause does not exonerate the processor from complying with its obligations

under the GDPR.

For personal data transferred outside of the EEA, the E DPB considers it unlikely that t he wording

“unless required to do so by law or binding order of a governmental body”, in itself, suffice to achieve

compliance with Article 28(3)(a) GDPR in conjunction with Chapter V. As is illustrated by the European

Commission’s International Transfer SCCs and the BCR-C recommendations, Article 28(3)(a) GDPR does

not prevent - on principle - the inclusion in the contract of provisions that address third country law

requirements to process transferred personal data. However, as is the case in these documents, a

distinction should be made between the third country law(s) which would undermine the level of

protection guaranteed by the GDPR and those that would not. Finally, the EDPB recalls that the

possibility of third country law impeding compliance with the GDPR should be a factor considered by

the parties before entering into the contract (between controller and processor or between processor

and sub-processor).

Where the processor is processing personal data within the EEA, it may still be faced with third country

law, in certain circumstances. The EDPB underlines that the addition in the contract of wording similar

to “unless required to do so by law or binding order of a governmental body” does not release the

processor from its obligations under the GDPR.

Finally, the EDPB is of the opinion that following up the commitment of the processor to only process

on documented instructions with “unless required to do so by law or binding order of a governmental

body” (either verbatim or in ve ry similar terms) cannot be construed as a documented instruction by

the controller.