Takea­ways (AI):
  • The per­son respon­si­ble must actively assu­me respon­si­bi­li­ty in mul­ti-link pro­ce­s­sing chains and ambi­gui­ties are unacceptable.
  • EDSA requi­res com­pre­hen­si­ve infor­ma­ti­on on all pro­ces­sors and sub-pro­ces­sors for legal obligations.
  • Reviews of safe­ty gua­ran­tees are requi­red for each stage of the pro­ce­s­sing chain, espe­ci­al­ly in high-risk cases.
  • In the case of inter­na­tio­nal data trans­fers, the con­trol­ler remains lia­ble; risks must be eva­lua­ted and appro­pria­te mea­su­res taken.

On Octo­ber 9, 2024, the Euro­pean Data Pro­tec­tion Board EDPB issued a “Opi­ni­on 22/2024 on cer­tain obli­ga­ti­ons fol­lo­wing from the reli­ance on processor(s) and sub-processor(s)”, i.e. a state­ment on cer­tain obli­ga­ti­ons of data con­trol­lers in con­nec­tion with the invol­vement of pro­ces­sors and, in par­ti­cu­lar, sub-processors.

The Danish aut­ho­ri­ty asked a num­ber of spe­ci­fic que­sti­ons on the basis of Art. 62 para. 2 GDPR, to which the Opi­ni­on responds. Unfort­u­n­a­te­ly or for­t­u­n­a­te­ly, depen­ding on the case, it does not address the con­cept of processor.

As a result, the EDPB is not par­ti­cu­lar­ly strict on all points. At the same time, howe­ver, it is once again clear that

  • the per­son respon­si­ble can­not escape his respon­si­bi­li­ty even through a mul­ti-link pro­ce­s­sing chain, and that
  • the aut­ho­ri­ties assu­me that tho­se respon­si­ble have the per­son­nel and bud­get to con­scious­ly, actively, con­ti­nuous­ly and serious­ly assu­me this respon­si­bi­li­ty. The EDPB’s ins­truc­tions are not clear in every detail; howe­ver, the aut­ho­ri­ties would not tole­ra­te a lack of cla­ri­ty as to who pro­ce­s­ses which data and where.

Cla­ri­ty about the pro­ce­s­sing chain

First of all, the EDPB points out that the con­trol­ler deter­mi­nes the enti­re chain. The EDPB justi­fi­es this by sta­ting, among other things, that the con­trol­ler must name the indi­vi­du­al reci­pi­en­ts as part of the duty to inform (the ECJ has ruled on this only for the right to infor­ma­ti­on con­firm­ed, but would cer­tain­ly also do so for the duty to inform). In the con­text of the Opi­ni­on, this leads to the con­clu­si­on that, if appli­ca­ble Reci­pi­en­ts to be spe­ci­fi­ed not only the first stage applies, but also each UAB must be indi­ca­ted. The per­son respon­si­ble must also know all sub-UAB:

While this is not expli­cit in the­se pro­vi­si­ons, the Board con­siders that for the pur­po­se of Artic­le 28(1) and 28(2) GDPR, con­trol­lers should have the infor­ma­ti­on on the iden­ti­ty of all pro­ces­sors, subpro­ces­sors etc. rea­di­ly available at all times so that they can best ful­fill their obli­ga­ti­ons under the pro­vi­si­ons men­tio­ned above.

Howe­ver, this is hard­ly trans­fera­ble to Switz­er­land, if only becau­se it is undis­pu­ted that the spe­ci­fi­ca­ti­on of cate­go­ries of reci­pi­en­ts is suf­fi­ci­ent. In addi­ti­on, under the GDPR, the con­trol­ler gene­ral­ly has cau­sal lia­bi­li­ty for the pro­ces­sors (ECJ, Deut­sche Woh­nen); this is also a point for the EDSA, but this is also not transferable.

A cla­ri­fi­ca­ti­on can then be found in the more com­mon pro­ce­du­re with a right of veto: Here, the AB should give the per­son respon­si­ble Proac­tively pro­vi­de cer­tain infor­ma­ti­on about new UABsThe EDSA sta­tes the name and sub­ject of the pro­ce­s­sing. Howe­ver, this also means that the AB must not only name new UABs, but also all sub-UABs through the enti­re chain, and each UAB must do the same for the sub­se­quent levels. Each level must inven­to­ry the enti­re down­stream pro­ce­s­sing chain accordingly.

Howe­ver, it is suf­fi­ci­ent if this infor­ma­ti­on is “easi­ly acce­s­si­ble”. A mai­ling list to which the per­son respon­si­ble (or sub­se­quent­ly the AB, etc.) must sub­scri­be should the­r­e­fo­re be unproblematic.

This is not trans­fera­ble to Switz­er­land becau­se the con­trol­ler must name the indi­vi­du­al reci­pi­en­ts of the data under the GDPR, at least in the case of a request for information.

Con­trol over the pro­ce­s­sing chain

Based on the accoun­ta­bi­li­ty prin­ci­ple (which the wise Swiss legis­la­tor has not adopted), the EDPB is of the opi­ni­on that the con­trol­ler must ensu­re the secu­ri­ty of the data – under­s­tood as data secu­ri­ty, but also as pri­va­cy by design – throug­hout the enti­re chain:

Artic­les 24(1) and 28(1) GDPR should be inter­pre­ted as requi­ring the con­trol­ler to ensure
that the pro­ce­s­sing chain only con­sists of pro­ces­sors, sub-pro­ces­sors, sub-sub-pro­ces­sors (etc.) that pro­vi­de ’suf­fi­ci­ent gua­ran­tees to imple­ment appro­pria­te tech­ni­cal and orga­nizatio­nal mea­su­res’. In addi­ti­on the con­trol­ler should be able to pro­ve that it has taken all of the ele­ments pro­vi­ded in the GDPR into serious consideration.

This initi­al­ly con­cerns the first stage of the AB, in which the respon­si­ble par­ty must car­ry out due dili­gence appro­pria­te to the cir­cum­stances (ven­dor assess­ment, third-par­ty risk assess­ment). It is not clear how he has to proceed:

For exam­p­le, the con­trol­ler may choo­se to draw a que­sti­on­n­aire as a means to gather infor­ma­ti­on from its pro­ces­sor to veri­fy the rele­vant gua­ran­tees, ask for the rele­vant docu­men­ta­ti­on, rely on publicly-available infor­ma­ti­on and/or cer­ti­fi­ca­ti­ons or audit reports from trust­wor­t­hy third par­ties and/or per­form on-site audits.

In prin­ci­ple, the per­son respon­si­ble must also make appro­pria­te con­side­ra­ti­ons for the down­stream levels (and docu­ment them!), but here too the risks for tho­se affec­ted are decisi­ve. And he may make use of the sup­port of the AB here:

Such duty is faci­li­ta­ted by, on the one hand, the assi­stance and audit obli­ga­ti­ons impo­sed on the pro­ces­sors and, on the other hand, the infor­ma­ti­on pro­vi­ded by the initi­al pro­ces­sor to the con­trol­ler befo­re the enga­ge­ment of addi­tio­nal processors.

In con­cre­te terms, this means the following:

  • The pro­ces­sor must pro­vi­de all neces­sa­ry infor­ma­ti­on, and the con­tract should spe­ci­fy the appro­pria­te mechanism:

    The con­trol­ler should be ful­ly infor­med as to the details of the pro­ce­s­sing that are
    rele­vant to demon­stra­te com­pli­ance with the obli­ga­ti­ons laid down in Artic­le 28 GDPR, and the pro­ces­sor should pro­vi­de all infor­ma­ti­on on how the pro­ce­s­sing acti­vi­ty is car­ri­ed out on behalf of the con­trol­ler. The con­tract should spe­ci­fy on how often and how this flow of infor­ma­ti­on should take place.

  • the per­son respon­si­ble may gene­ral­ly rely on this information;
  • The same applies to the fol­lo­wing levels of the chain; the AB must the­r­e­fo­re check the UAB.

Howe­ver, this does not ans­wer the que­sti­on of what role the per­son respon­si­ble has to play in the UAB. The EDSA says:

The ulti­ma­te decis­i­on on whe­ther to enga­ge a spe­ci­fic sub-(sub-)processor and the per­tai­ning respon­si­bi­li­ty, inclu­ding with respect to veri­fy­ing the suf­fi­ci­en­cy of the gua­ran­tees pro­vi­ded by the (sub-)processor, remains with the con­trol­ler. As alre­a­dy recal­led, in case of gene­ric or spe­ci­fic aut­ho­rizati­on, it is always up to the con­trol­ler to deci­de whe­ther to appro­ve the enga­ge­ment of this sub-pro­ces­sor or whe­ther to object against it. […] 

This ent­ails that the con­trol­ler may choo­se to rely on the infor­ma­ti­on recei­ved from its pro­ces­sor and if neces­sa­ry build on it. For exam­p­le, in case whe­re the infor­ma­ti­on recei­ved by the con­trol­ler seems incom­ple­te, inac­cu­ra­te or rai­ses que­sti­ons, or whe­re appro­pria­te based on the cir­cum­stances of the case inclu­ding the risk asso­cia­ted with the pro­ce­s­sing, the con­trol­ler should ask for addi­tio­nal infor­ma­ti­on and/or veri­fy the infor­ma­ti­on and complete/correct it if necessary.

This lea­ves open the cru­cial que­sti­on of whe­ther the respon­si­ble par­ty must also appro­ve the invol­vement of sub-UABs. If, for exam­p­le, an insurer invol­ves Micro­soft (AB) and Micro­soft, for exam­p­le, uses Snow­fla­ke as a UAB in accordance with the cor­re­spon­ding list from Micro­soft, this is hard­ly the end of the chain. So does Micro­soft also have to inform the cus­to­mer when Snow­fla­ke moves to a new provider?

It is hard­ly a coin­ci­dence that the EDPB does not expli­ci­t­ly address this issue. Nevert­hel­ess, the fol­lo­wing refe­rence indi­ca­tes that the con­trol­ler does not nor­mal­ly have to go this far, but only in high-risk cases (becau­se only here does the EDPB refer not only to UABs that the con­trol­ler must appro­ve, but expli­ci­t­ly to the enti­re chain):

More spe­ci­fi­cal­ly, for pro­ce­s­sing pre­sen­ting a high risk to the rights and free­doms of data sub­jects, the con­trol­ler should increa­se its level of veri­fi­ca­ti­on in terms of checking the infor­ma­ti­on pro­vi­ded regar­ding the gua­ran­tees pre­sen­ted by the dif­fe­rent pro­ces­sors in the pro­ce­s­sing chain.

The data con­trol­ler also has the right to ADV bet­ween the AB and the UAB and, accor­ding to the EDSA, he can also request the con­tracts fur­ther down the chain. Howe­ver, they do not neces­s­a­ri­ly have to do so:

This said, the con­trol­ler does not have a duty to syste­ma­ti­cal­ly ask for the sub-pro­ce­s­sing con­tracts to check whe­ther the data pro­tec­tion obli­ga­ti­ons pro­vi­ded for in the initi­al con­tract have been pas­sed down the pro­ce­s­sing chain. The con­trol­ler should assess, on a case-by-case basiswhe­ther reque­st­ing a copy of such con­tracts or revie­w­ing them at any time is neces­sa­ry for it to be able to demon­stra­te com­pli­ance in light of the prin­ci­ple of accoun­ta­bi­li­ty. In the con­text of exer­cis­ing its right of audit under 28(3)(h), the con­trol­ler should have a pro­cess in place to under­ta­ke audit cam­paigns in order to check by sam­pling veri­fi­ca­ti­ons that the con­tracts with its sub-pro­ces­sors con­tain the neces­sa­ry data pro­tec­tion obligations.

Trans­mis­si­on abroad

Here, too, the EDSA beg­ins with the respon­si­bi­li­ty of the per­son respon­si­ble – in the case of an unaut­ho­ri­zed onward trans­fer by an AB or UAB he remains respon­si­bleand may ther­eby vio­la­te Art. 44 GDPR:

For exam­p­le, both the con­trol­ler and the pro­ces­sor remain, in prin­ci­ple, respon­si­ble under Chap­ter V GDPR for an unlawful initi­al or onward trans­fer and the­r­e­fo­re could be both and indi­vi­du­al­ly be held lia­ble in the event of an infringement.

Howe­ver, the same applies as abo­ve: This does not say anything about how the con­trol­ler assu­mes its respon­si­bi­li­ty. In this respect, the issue of inter­na­tio­nal trans­fers does not chan­ge anything; the con­trol­ler must car­ry out appro­pria­te risk-based checks and take mea­su­res against vio­la­ti­ons. When appro­ving a UAB, the con­trol­ler must the­r­e­fo­re also be infor­med about which data may be trans­fer­red to a third coun­try (“Map­ping”), and if he has doubts about the qua­li­ty of the infor­ma­ti­on, he must ask.

The per­son respon­si­ble must also be awa­re of this, on what basis the trans­fer to the third coun­try is to take place. The EDPB makes more spe­ci­fic state­ments here. The con­trol­ler should have and check the fol­lo­wing information:

  • Ade­qua­cy reso­lu­ti­onwhe­ther the decis­i­on is in force and whe­ther the trans­mis­si­on falls within the scope of the decision;
  • Gua­ran­teesIf appro­pria­te safe­guards such as the stan­dard con­trac­tu­al clau­ses are used, the con­trol­ler should ensu­re that a Trans­fer Impact Assess­ment (TIA) is car­ri­ed out:

    In this case, the con­trol­ler should assess the appro­pria­te safe­guards put in place and be atten­ti­ve about any pro­ble­ma­tic legis­la­ti­on that could pre­vent the sub-pro­ces­sor from com­ply­ing with the obli­ga­ti­ons estab­lished in its con­tract with the initi­al processor93. More spe­ci­fi­cal­ly, the con­trol­ler should ensu­re that such “a trans­fer impact assess­ment” is car­ri­ed out, in line with the case-law95, and as explai­ned in EDPB Recom­men­da­ti­ons 01/2020.

    The AB should be accor­din­gly Dis­c­lo­se TIA. The per­son respon­si­ble may gene­ral­ly rely on this again:

    The docu­men­ta­ti­on rela­ting to the appro­pria­te safe­guards put in place, the “trans­fer impact assess­ment” and the pos­si­ble sup­ple­men­ta­ry mea­su­res should be pro­du­ced by the pro­ces­sor/exporter (whe­re appro­pria­te in col­la­bo­ra­ti­on with the processor/importer). The con­trol­ler can rely on the assess­ment pre­pared by the (sub-)processor and if neces­sa­ry build on it.

    Accor­din­gly, the con­tro­ver­si­al que­sti­on of whe­ther the con­trol­ler can demand the TIA should be cla­ri­fi­ed, at least for the GDPR.

Natio­nal law and the con­cept of “ins­truc­tions”

The ADV may or should address the case that the AB does not ful­fill its sub­ject to natio­nal law and accor­din­gly may be forced to pro­cess the com­mis­sio­ned data out­side the ins­truc­tions of the con­trol­ler. In prac­ti­ce, the pro­blem ari­ses that Art. 28 GDPR does not app­ly here. only the law of the EEA or the Mem­ber Sta­tes but not the law of third count­ries, which is why a Ger­man con­trol­ler may theo­re­ti­cal­ly not allow the Swiss AB to pro­cess data in accordance with devia­ting Swiss law.

In prac­ti­ce, as a rule, the law of the coun­try in which the also non-Euro­pean sta­tes of the AB. The EDPB cla­ri­fi­es that this prac­ti­ce is permissible:

In light of the ana­ly­sis abo­ve, the EDPB takes the view that inclu­ding, in a con­tract bet­ween the con­trol­ler and the pro­ces­sor, the excep­ti­on pro­vi­ded for in Artic­le 28(3)(a) GDPR “unless requi­red to do so by Uni­on or Mem­ber Sta­te law to which the pro­ces­sor is sub­ject” (eit­her ver­ba­tim or in very simi­lar terms) is high­ly recom­men­ded, but not strict­ly requi­red in order to be in com­pli­ance with Artic­le 28(3)(a) GDPR. This posi­ti­on is wit­hout pre­ju­di­ce to the need for a con­trac­tu­al obli­ga­ti­on to inform the con­trol­ler when the pro­ces­sor is legal­ly requi­red to pro­cess per­so­nal data other than upon the controller’s instructions […]

It also points out that in such a case a trans­fer or an onward trans­fer to a third coun­try is likely to have taken place and that the requi­re­ments of Art. 44 et seq. GDPR must be obser­ved, which leads to an exami­na­ti­on of the recipient’s law (as part of the ade­qua­cy decis­i­on or a TIA).

The EDSA rai­ses ano­ther inte­re­st­ing que­sti­on: If the per­son respon­si­ble allo­ws the AB to pro­cess data dif­fer­ent­lyif requi­red by law is that an ins­truc­tion of the con­trol­ler? In prac­ti­ce, it can be obser­ved that devia­ting pro­ce­s­sing by the con­trol­ler is inclu­ded in the con­tract as an ins­truc­tion as to whe­ther this pro­ce­s­sing is to be enab­led, which, howe­ver, rai­ses the que­sti­on of whe­ther the con­trol­ler may issue such ins­truc­tions at all (e.g. in the case of Micro­soft, when it comes to the limi­t­ed pro­ce­s­sing for its own pur­po­ses pro­vi­ded for in Microsoft’s DPA).

The EDPB is of the opi­ni­on here that such an instruction

  • suf­fi­ci­ent detail­ed and
  • at any time revo­ca­ble its

must be given. The lat­ter is not given in prac­ti­ce in such cases, which is why the­re is no ins­truc­tion – at least not a data pro­tec­tion-com­pli­ant one – in the opi­ni­on of the EDPB.

AI-gene­ra­ted takea­ways can be wrong.