- The person responsible must actively assume responsibility in multi-link processing chains and ambiguities are unacceptable.
- EDSA requires comprehensive information on all processors and sub-processors for legal obligations.
- Reviews of safety guarantees are required for each stage of the processing chain, especially in high-risk cases.
- In the case of international data transfers, the controller remains liable; risks must be evaluated and appropriate measures taken.
On October 9, 2024, the European Data Protection Board EDPB issued a “Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)”, i.e. a statement on certain obligations of data controllers in connection with the involvement of processors and, in particular, sub-processors.
The Danish authority asked a number of specific questions on the basis of Art. 62 para. 2 GDPR, to which the Opinion responds. Unfortunately or fortunately, depending on the case, it does not address the concept of processor.
As a result, the EDPB is not particularly strict on all points. At the same time, however, it is once again clear that
- the person responsible cannot escape his responsibility even through a multi-link processing chain, and that
- the authorities assume that those responsible have the personnel and budget to consciously, actively, continuously and seriously assume this responsibility. The EDPB’s instructions are not clear in every detail; however, the authorities would not tolerate a lack of clarity as to who processes which data and where.
Content
ToggleClarity about the processing chain
First of all, the EDPB points out that the controller determines the entire chain. The EDPB justifies this by stating, among other things, that the controller must name the individual recipients as part of the duty to inform (the ECJ has ruled on this only for the right to information confirmed, but would certainly also do so for the duty to inform). In the context of the Opinion, this leads to the conclusion that, if applicable Recipients to be specified not only the first stage applies, but also each UAB must be indicated. The person responsible must also know all sub-UAB:
While this is not explicit in these provisions, the Board considers that for the purpose of Article 28(1) and 28(2) GDPR, controllers should have the information on the identity of all processors, subprocessors etc. readily available at all times so that they can best fulfill their obligations under the provisions mentioned above.
However, this is hardly transferable to Switzerland, if only because it is undisputed that the specification of categories of recipients is sufficient. In addition, under the GDPR, the controller generally has causal liability for the processors (ECJ, Deutsche Wohnen); this is also a point for the EDSA, but this is also not transferable.
A clarification can then be found in the more common procedure with a right of veto: Here, the AB should give the person responsible Proactively provide certain information about new UABsThe EDSA states the name and subject of the processing. However, this also means that the AB must not only name new UABs, but also all sub-UABs through the entire chain, and each UAB must do the same for the subsequent levels. Each level must inventory the entire downstream processing chain accordingly.
However, it is sufficient if this information is “easily accessible”. A mailing list to which the person responsible (or subsequently the AB, etc.) must subscribe should therefore be unproblematic.
This is not transferable to Switzerland because the controller must name the individual recipients of the data under the GDPR, at least in the case of a request for information.
Control over the processing chain
Based on the accountability principle (which the wise Swiss legislator has not adopted), the EDPB is of the opinion that the controller must ensure the security of the data – understood as data security, but also as privacy by design – throughout the entire chain:
Articles 24(1) and 28(1) GDPR should be interpreted as requiring the controller to ensure
that the processing chain only consists of processors, sub-processors, sub-sub-processors (etc.) that provide ’sufficient guarantees to implement appropriate technical and organizational measures’. In addition the controller should be able to prove that it has taken all of the elements provided in the GDPR into serious consideration.
This initially concerns the first stage of the AB, in which the responsible party must carry out due diligence appropriate to the circumstances (vendor assessment, third-party risk assessment). It is not clear how he has to proceed:
For example, the controller may choose to draw a questionnaire as a means to gather information from its processor to verify the relevant guarantees, ask for the relevant documentation, rely on publicly-available information and/or certifications or audit reports from trustworthy third parties and/or perform on-site audits.
In principle, the person responsible must also make appropriate considerations for the downstream levels (and document them!), but here too the risks for those affected are decisive. And he may make use of the support of the AB here:
Such duty is facilitated by, on the one hand, the assistance and audit obligations imposed on the processors and, on the other hand, the information provided by the initial processor to the controller before the engagement of additional processors.
In concrete terms, this means the following:
- The processor must provide all necessary information, and the contract should specify the appropriate mechanism:
The controller should be fully informed as to the details of the processing that are
relevant to demonstrate compliance with the obligations laid down in Article 28 GDPR, and the processor should provide all information on how the processing activity is carried out on behalf of the controller. The contract should specify on how often and how this flow of information should take place. - the person responsible may generally rely on this information;
- The same applies to the following levels of the chain; the AB must therefore check the UAB.
However, this does not answer the question of what role the person responsible has to play in the UAB. The EDSA says:
The ultimate decision on whether to engage a specific sub-(sub-)processor and the pertaining responsibility, including with respect to verifying the sufficiency of the guarantees provided by the (sub-)processor, remains with the controller. As already recalled, in case of generic or specific authorization, it is always up to the controller to decide whether to approve the engagement of this sub-processor or whether to object against it. […]
This entails that the controller may choose to rely on the information received from its processor and if necessary build on it. For example, in case where the information received by the controller seems incomplete, inaccurate or raises questions, or where appropriate based on the circumstances of the case including the risk associated with the processing, the controller should ask for additional information and/or verify the information and complete/correct it if necessary.
This leaves open the crucial question of whether the responsible party must also approve the involvement of sub-UABs. If, for example, an insurer involves Microsoft (AB) and Microsoft, for example, uses Snowflake as a UAB in accordance with the corresponding list from Microsoft, this is hardly the end of the chain. So does Microsoft also have to inform the customer when Snowflake moves to a new provider?
It is hardly a coincidence that the EDPB does not explicitly address this issue. Nevertheless, the following reference indicates that the controller does not normally have to go this far, but only in high-risk cases (because only here does the EDPB refer not only to UABs that the controller must approve, but explicitly to the entire chain):
More specifically, for processing presenting a high risk to the rights and freedoms of data subjects, the controller should increase its level of verification in terms of checking the information provided regarding the guarantees presented by the different processors in the processing chain.
The data controller also has the right to ADV between the AB and the UAB and, according to the EDSA, he can also request the contracts further down the chain. However, they do not necessarily have to do so:
This said, the controller does not have a duty to systematically ask for the sub-processing contracts to check whether the data protection obligations provided for in the initial contract have been passed down the processing chain. The controller should assess, on a case-by-case basiswhether requesting a copy of such contracts or reviewing them at any time is necessary for it to be able to demonstrate compliance in light of the principle of accountability. In the context of exercising its right of audit under 28(3)(h), the controller should have a process in place to undertake audit campaigns in order to check by sampling verifications that the contracts with its sub-processors contain the necessary data protection obligations.
Transmission abroad
Here, too, the EDSA begins with the responsibility of the person responsible – in the case of an unauthorized onward transfer by an AB or UAB he remains responsibleand may thereby violate Art. 44 GDPR:
For example, both the controller and the processor remain, in principle, responsible under Chapter V GDPR for an unlawful initial or onward transfer and therefore could be both and individually be held liable in the event of an infringement.
However, the same applies as above: This does not say anything about how the controller assumes its responsibility. In this respect, the issue of international transfers does not change anything; the controller must carry out appropriate risk-based checks and take measures against violations. When approving a UAB, the controller must therefore also be informed about which data may be transferred to a third country (“Mapping”), and if he has doubts about the quality of the information, he must ask.
The person responsible must also be aware of this, on what basis the transfer to the third country is to take place. The EDPB makes more specific statements here. The controller should have and check the following information:
- Adequacy resolutionwhether the decision is in force and whether the transmission falls within the scope of the decision;
- GuaranteesIf appropriate safeguards such as the standard contractual clauses are used, the controller should ensure that a Transfer Impact Assessment (TIA) is carried out:
In this case, the controller should assess the appropriate safeguards put in place and be attentive about any problematic legislation that could prevent the sub-processor from complying with the obligations established in its contract with the initial processor93. More specifically, the controller should ensure that such “a transfer impact assessment” is carried out, in line with the case-law95, and as explained in EDPB Recommendations 01/2020.
The AB should be accordingly Disclose TIA. The person responsible may generally rely on this again:
The documentation relating to the appropriate safeguards put in place, the “transfer impact assessment” and the possible supplementary measures should be produced by the processor/exporter (where appropriate in collaboration with the processor/importer). The controller can rely on the assessment prepared by the (sub-)processor and if necessary build on it.
Accordingly, the controversial question of whether the controller can demand the TIA should be clarified, at least for the GDPR.
National law and the concept of “instructions”
The ADV may or should address the case that the AB does not fulfill its subject to national law and accordingly may be forced to process the commissioned data outside the instructions of the controller. In practice, the problem arises that Art. 28 GDPR does not apply here. only the law of the EEA or the Member States but not the law of third countries, which is why a German controller may theoretically not allow the Swiss AB to process data in accordance with deviating Swiss law.
In practice, as a rule, the law of the country in which the also non-European states of the AB. The EDPB clarifies that this practice is permissible:
In light of the analysis above, the EDPB takes the view that including, in a contract between the controller and the processor, the exception provided for in Article 28(3)(a) GDPR “unless required to do so by Union or Member State law to which the processor is subject” (either verbatim or in very similar terms) is highly recommended, but not strictly required in order to be in compliance with Article 28(3)(a) GDPR. This position is without prejudice to the need for a contractual obligation to inform the controller when the processor is legally required to process personal data other than upon the controller’s instructions […]
It also points out that in such a case a transfer or an onward transfer to a third country is likely to have taken place and that the requirements of Art. 44 et seq. GDPR must be observed, which leads to an examination of the recipient’s law (as part of the adequacy decision or a TIA).
The EDSA raises another interesting question: If the person responsible allows the AB to process data differentlyif required by law is that an instruction of the controller? In practice, it can be observed that deviating processing by the controller is included in the contract as an instruction as to whether this processing is to be enabled, which, however, raises the question of whether the controller may issue such instructions at all (e.g. in the case of Microsoft, when it comes to the limited processing for its own purposes provided for in Microsoft’s DPA).
The EDPB is of the opinion here that such an instruction
- sufficient detailed and
- at any time revocable its
must be given. The latter is not given in practice in such cases, which is why there is no instruction – at least not a data protection-compliant one – in the opinion of the EDPB.