Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 9 October 2024, the European Data Protection Board (EDPB) published its Opinion 22/2024, clarifying the responsibilities of controllers when relying on processors and sub-processors. This guidance emphasizes the importance of controller accountability in ensuring GDPR compliance across extended (sub-)processing chains, including with regard to possible onward data transfers to non-EU countries. The takeaways from the EDPB's Opinion are potentially significant, but they can, and should, be approached in a pragmatic way by both service providers and their customers.
Opinion 22/2024 arose from a request by the Danish Data Protection Authority (DPA) for guidance from the EDPB under Article 64(2) GDPR. This procedure allows national data protection authorities to seek EDPB opinions on matters of ‘general application or producing effects in more than one EU Member State’ (as was accepted by the EDPB to be the case in respect of the Danish DPA’s questions).
The Danish DPA posed several questions to the EDPB, focusing on scenarios where a controller engages a processor, that in turn engages other (sub-)processors under Article 28 GDPR. The questions addressed various aspects of such (sub-)processing chains and the related accountability obligations of controllers.
Notably, the Opinion was issued without the usual public consultation that precedes the adoption of EDPB Guidelines because it is not required for opinions issued by the EDPB under the Art. 64 procedure, so it may have come across as a bit of surprise to controllers and processors alike.
On the face of it and perhaps unsurprisingly, the EDPB takes a rather strict stance, stating that ‘the processor should proactively provide to the controller all information on the identity of all processors, sub-processors etc. processing on behalf of the controller, and should keep this information regarding all engaged sub-processors up to date at all times.’
In practice, this essentially means that the EDPB expects that the identity of all processors in a processing chain must be accessible to the controller. However, the EDPB acknowledges that it is open for the controller and processor to agree between them how and in which format this information can be made available, which leaves some room for flexibility in meeting this requirement.
Crucially, The EDPB specifies that controllers need not systematically ask for every sub-processing contract to check that the data protection obligations in their initial contract with the processor have been carried down the chain, and the requirements should be assessed on a case-by-case basis. Rather, the controller may rely on information provided by the initial processor if the information submitted by the processor actually demonstrates compliance.
The EDPB concludes that alternative wording such as ‘unless required to do so by law or binding order of a governmental body' does not infringe Article 28 GDPR but it does not exonerate the controller and processor from their obligations under the GDPR. Further, this alternative wording cannot be construed as a documented instruction by the controller to process data.
The EDPB Opinion is not a draft and is immediately applicable. However, it is not legally binding and instead provides guidance for how the GDPR should be applied in the view of the EU data protection authorities. National data protection authorities will consider this Opinion when applying the GDPR, such as during investigations and other enforcement procedures. Consequently, both controllers and processors should take into account the views expressed by the EDPB as part of their data protection management systems and GDPR compliance efforts. The key points to consider are set out below.
Companies should pay particular attention to the EDPB’s requirement that controllers be able to identify all processors involved in a (sub-)processing chain at any given time. At first glance, this could be understood as adding a new layer of responsibility for controllers to maintain records of their entire (sub-)processing chains. However, the Opinion allows for a degree of discretion in how controllers and processors met these requirements.
Controllers should first assess how their current contracts with processors support compliance with this requirement. If current practices fall short, they should establish a new mechanism for having access to the necessary information and to an appropriate level of detail (i.e., providing the name, address, contact person and description of processing for each (sub-)processor in the chain).
While the Opinion frames responsibility as sitting with controllers, their ability to comply depends on the information provided by the processor(s). Therefore, processors and sub-processors should creatively consider how they document the identities of their own sub-processors and maintain effective mechanisms for sharing up-to-date lists with controllers upon request.
Controllers should review their verification procedures to ensure they have appropriate checks and balances in place. A sufficient paper-trail of the verification process should exist to demonstrate compliance with the GDPR to investigating authorities.
Due diligence must be clear for all processing, with heightened scrutiny for high-risk processing activities. Controllers can rely on information about a sub-processor provided by the processor, but they are responsible for verifying any incomplete or inaccurate information. Ultimately the controller bears the responsibility for proving that each sub-processor provides sufficient guarantees.
Regarding onward transfers of personal data, controllers must verify their arrangements with any processors (and sub-processors) exporting data outside the EEA. While the logistics of the transfer can be managed by the exporting processor, controllers must ensure that sufficient guarantees regarding technical and organizational measures are in place for all sub-processors in the processing chain. TIAs therefore should be part of the controller's due diligence process.
While the Opinion is not legally binding as written, it will significantly influence the expectations placed on controllers regarding their (sub-)processing chains. This serves as a reminder for controllers to establish clear arrangements that enable them to identify and verify guarantees provided by each entity in the chain. Processors, in turn, should ensure that the information they provide to controllers is accurate, is kept up-to-date, and is sufficiently detailed. As a result, companies can anticipate a heightened focus on these mechanisms and tighter contract language regarding the purposes of processing in future controller-processor agreements.
Authored by Dr. Henrik Hanssen, Katie McMullan, Bret Cohen, Dr. Stefan Schuppert, and Eduardo Ustaran.