EDPB Issues Opinion on Processor and Sub-Processor Obligations Under GDPR
On October 7, 2024, the European Data Protection Board (EDPB) issued an opinion regarding the obligations of data controllers when using processors and sub-processors. The EDPB, responsible for ensuring consistent application of the EU General Data Protection Regulation (GDPR) across the European Economic Area (EEA), responded to inquiries from the Danish supervisory authority. The opinion clarifies that data controllers must maintain up-to-date information about all processors and sub-processors involved in data processing activities. This information should include the identity, contact details, and specific processing responsibilities of each entity, enabling controllers to fulfill their obligations under the GDPR.
When engaging sub-processors, controllers must provide explicit authorization for each processing activity and the duration of the processing. If a controller does not respond within the specified timeframe, it is considered a lack of consent. Moreover, controllers who grant general authorization to processors must have sufficient time to object to any proposed sub-processors. The initial processor is responsible for supplying the necessary information to facilitate informed decisions by the controller.
The EDPB emphasizes that the involvement of processors should not compromise data protection standards. Controllers must ensure that processors provide adequate guarantees for the protection of personal data. The level of scrutiny required may vary based on the risk associated with the processing. In cases of high risk, controllers might need to review sub-processing contracts or impose additional requirements to verify that appropriate security measures are in place.
Lastly, when international data transfers occur between processors, controllers must document and justify these transfers to the relevant supervisory authority. This documentation includes a transfer map, the rationale for the transfer, and any safeguards in place. While it is not mandatory to include specific legal disclaimers in processing agreements, the EDPB strongly recommends their inclusion to clarify compliance with the GDPR. Companies should carefully consider these obligations to ensure they have all necessary information and verification in place regarding third parties processing personal data on their behalf.
