DATA PROTECTION
European Data Protection Board: Opinion on Article 28 of the GDPR and on certain obligations arising from the designation of the External Data Processor (and sub-processors) adopted.
Art. 64(2) GDPR provides that any DPA can ask the Board to issue an opinion on matters of general application or producing effects in more than one Member State. Following an Art. 64(2) GDPR request to the Board by the Danish Data Protection Authority (DPA), the EDPB enacted an Opinion about situations where controllers rely on one or more processors and sub-processors.
In particular, the Opinion addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Art. 28 GDPR.
The Opinion explains that controllers should have the information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Art. 28 GDPR. Besides, the controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary, notably on the basis of the risks associated with the processing.
The Opinion also states that while the initial processor should ensure that it proposes sub-processors with sufficient guarantees, the ultimate decision and responsibility on engaging a specific sub-processor remains with the controller.
The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check if data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.
In addition, where transfers of personal data outside of the European Economic Area take place between two (sub-)processors, the processor as data exporter should prepare the relevant documentation, such as relating to the ground of transfer used, the transfer impact assessment and the possible supplementary measures. However, as the controller is still subject to the duties stemming from Art. 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Art. 44 to ensure that the level of protection is not undermined by transfers of personal data, it should assess this documentation and be able to show it to the competent Data Protection Authority.
In particular, the Opinion addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Art. 28 GDPR.
The Opinion explains that controllers should have the information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Art. 28 GDPR. Besides, the controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary, notably on the basis of the risks associated with the processing.
The Opinion also states that while the initial processor should ensure that it proposes sub-processors with sufficient guarantees, the ultimate decision and responsibility on engaging a specific sub-processor remains with the controller.
The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check if data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.
In addition, where transfers of personal data outside of the European Economic Area take place between two (sub-)processors, the processor as data exporter should prepare the relevant documentation, such as relating to the ground of transfer used, the transfer impact assessment and the possible supplementary measures. However, as the controller is still subject to the duties stemming from Art. 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Art. 44 to ensure that the level of protection is not undermined by transfers of personal data, it should assess this documentation and be able to show it to the competent Data Protection Authority.
