Adopted on 17 October 2024 [Access official publication on EDPB website]
The Danish SA requested the EDPB to issue an opinion on matters of general application pursuant to Article 64(2) GDPR. The opinion contributes to a harmonised interpretation by the national supervisory authorities of certain aspects of Article 28 GDPR, where appropriate in conjunction with Chapter V GDPR. In particular, the opinion addresses questions on the interpretation of certain duties of controllers relying on processors and sub-processors, arising in particular from Article 28 GDPR, as well as the wording of controller-processor contracts. The questions address processing of personal data in the EEA as well processing following a transfer to a third country.
The Board concludes in this opinion that controllers should have the information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Article 28 GDPR, regardless of the risk associated with the processing activity. To this end, the processor should proactively provide to the controller all this information and should keep them up to date at all times.
Article 28(1) GDPR provides that controllers have the obligation to engage processors providing ‘sufficient guarantees’ to implement ‘appropriate’ measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects. The EDPB considers, in its opinion, that when assessing compliance of controllers with this obligation and with the accountability principle (Article 24(1) GDPR), SAs should consider that the engagement of processors should not lower the level of protection for the rights of data subjects. The controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ to implement the appropriate measures determined by the controller should apply regardless of the risk to the rights and freedoms of data subjects. However, the extent of such verification will in practice vary depending on the nature of these technical and organisational measures, which may be stricter or more extensive depending on the level of such risk.
The EDPB further specifies in the opinion that while the initial processor should ensure that it proposes sub-processors providing sufficient guarantees, the ultimate decision on whether to engage a specific sub-processor and the pertaining responsibility, including with respect to verifying the guarantees, remains with the controller. SAs should assess whether the controller is able to demonstrate that the verification of the sufficiency of the guarantees provided by its (sub-)processors has taken place to the controller’s satisfaction. The controller may choose to rely on the information received from its processor and build on it if needed (for example, where it seems incomplete, inaccurate or raises questions). More specifically, for processing presenting a high risk to the rights and freedoms of data subjects, the controller should increase its level of verification in terms of checking the information provided. In that regard, the EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check whether the data protection obligations provided for in the initial contract have been passed down the processing chain. The controller should assess, on a case-by-case basis, whether requesting a copy of such contracts or reviewing them at any time is necessary for it to be able to demonstrate compliance in light of the principle of accountability. Where transfers of personal data outside of the EEA take place between two (sub-)processors, in accordance with the controller’s instructions, the controller is still subject to the duties stemming from
Article 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Article 44 to ensure that the level of protection guaranteed by the GDPR is not undermined by transfers of personal data. The processor/exporter should prepare the relevant documentation, in line with the case-law and as explained in EDPB Recommendations 01/2020. The controller should assess and be able to show to the competent SA such documentation. The controller may rely on the documentation or information received from the processor/exporter and if necessary build on it. The extent and nature of the controller’s duty to assess this documentation may depend on the ground used for the transfer and whether the transfer constitutes an initial or onward transfer.
The EDPB also addressed, in the opinion, a question on the wording of controller-processor contracts.
In this respect, a basic element is the commitment for the processor to process personal data only on documented instructions from the controller, unless the processor is “required to [process] by Union or Member State law to which the processor is subject” (Article 28(3)(a) GDPR) - recalling the general principle that contracts cannot override the law. In light of the contractual freedom afforded to the parties to tailor their controller-processor contract to their circumstances, within the limits of Article 28(3) GDPR, the EDPB takes the view that including the words “unless required to do so by Union or Member State law to which the processor is subject” (either verbatim or in very similar terms) is highly recommended but not mandatory.
As to variants similar to “unless required to do so by law or binding order of a governmental body” the EDPB takes the view that this remains within prerogative of the contractual freedom of the parties and does not infringe Article 28(3)(a) GDPR per se. At the same time the EDPB identifies a number of issues in its opinion, as such a clause does not exonerate the processor from complying with its obligations under the GDPR.
For personal data transferred outside of the EEA, the EDPB considers it unlikely that the wording “unless required to do so by law or binding order of a governmental body”, in itself, suffice to achieve compliance with Article 28(3)(a) GDPR in conjunction with Chapter V. As is illustrated by the European Commission’sInternational Transfer SCCs and the BCR-C recommendations, Article 28(3)(a) GDPR does not prevent - on principle - the inclusion in the contract of provisions that address third country law requirements to process transferred personal data. However, as is the case in these documents, a distinction should be made between the third country law(s) which would undermine the level of protection guaranteed by the GDPR and those that would not.
Finally, the EDPB recalls that the possibility of third country law impeding compliance with the GDPR should be a factor considered by the parties before entering into the contract (between controller and processor or between processor and sub-processor).
Where the processor is processing personal data within the EEA, it may still be faced with third country law, in certain circumstances. The EDPB underlines that the addition in the contract of wording similar to “unless required to do so by law or binding order of a governmental body” does not release the processor from its obligations under the GDPR.
Finally, the EDPB is of the opinion that following up the commitment of the processor to only process on documented instructions with “unless required to do so by law or binding order of a governmental body” (either verbatim or in very similar terms) cannot be construed as a documented instruction by the controller
The European Data Protection Board
Having regard to Article 63 and Article 64(2) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,
Having regard to Article 10 and Article 22 of its Rules of Procedure,
Whereas:
(1) The main role of the European Data Protection Board (hereafter the ‘Board’ or the ‘EDPB’) is to ensure the consistent application of the GDPR throughout the European Economic Area (‘EEA’). Article 64(2) GDPR provides that any supervisory authority (‘SA’), the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one EEA Member State be examined by the Board with a view to obtaining an opinion. The aim of this opinion is to examine a matter of general application or which produces effects in more than one EEA Member State.