If processors and sub-processors are used in the context of data processing on behalf of a controller – what obligations arise for data controllers? At the request of the Danish data protection supervisory authority, the European Data Protection Board (EDPB) has provided an opinion on this question, which is very important in practice.
EDPB opinion on processor(s) and sub-processor(s)
What is expected of controllers in the context of data processing on their behalf, particularly with regard to a chain of sub-processors?
The EDPB’s answers to this question are not new. However, the clarity with which they have been given is pleasing. Laborious discussions in which a pragmatic approach should take precedence over the legally correct solution can hopefully be shortened in future.
In short, the controller must also fulfil its obligations with regard to sub-processors in the same way as with directly commissioned processors.
In detail, the EDPB comments on the following aspects:
Knowledge of sub-processors
The controller must know all (!) sub-processors used and also know what they do. The processor must provide this information and any relevant changes.
Unfortunately, this often turns out to be difficult in practice. The information is not provided at all, is far too vague or comes in a pile that is of little use, from which the person responsible then has to pick out the information relevant to them with great effort and rather modest success.
The result must be a clear list with full details of the identity of the sub-processors, their tasks and contact details.
Typically, the person responsible also receives no notification if changes are made in the second or later stages, i.e. at the sub-sub-service provider or even further down the chain.
However, this should also be ensured, incidentally also against the background that the recipients must be listed in data protection notices, but must be named at the latest when access is requested in terms of Art. 15 GDPR.
Contractual assurance of the fulfilment of obligations
The sub-processors must ensure that its obligations are completely fulfilled along the entire chain of service providers and, if necessary, in every little link of the chain.
The sub-processors must therefore comply with the main data processing agreement (DPA) and may not change the defined limits of the processing or reduce the level of protection defined in the DPA with regard to the specific individual case. The sub-processors used must also offer the sufficient guarantees required in Art. 28 (1) GDPR.
Monitoring the fulfilment of duties
The controller must ensure that not only the processor but also the sub-processors actually fulfil their obligations.
To this end, it may be sufficient to require the processor to conclude a suitable contract and to take over the monitoring of the sub-processors – and then, as the controller, only to ensure in an appropriate but also conscientious manner that the processor fulfils these obligations.
With the exception of very risky processing, sub-processor agreements do not need to be checked, or sub-processors themselves reviewed.
As a rule, it should also be possible and sufficient to give the processor the opportunity to check its sub-processors itself and to inform the controller of the result. Own checks by the controller would then only be necessary if the evidence is missing, unsuitable or doubtful.
Such regulation should actually suit every processor. Instead of being randomly subjected to uncoordinated reviews by various controllers, proof could be provided at a time of the processor´s choosing – and to all controllers at once. This would be easiest for all parties involved and involve the least effort. After all, processors are obliged to carry out self-checks anyway, as a quick glance at Art. 32 (1) d) GDPR confirms. There should therefore be no additional effort at all. Why many processors are nevertheless opposed to such a regulation can only be surmised and should arouse healthy mistrust.
Third country transfer control
Finally, the controller also remains responsible for ensuring that data transfers to third countries comply with data protection regulations, even if they are carried out by a processor. The controller must receive and check the information and evidence required for this: Basis for the transfer, risk assessment or transfer impact assessment and any necessary additional security measures.
Data protection assessment
Once again, there is a huge outcry about how impractical, bureaucratic and excessive the whole thing is. But is that really the case?
The fact that one’s own responsibility does not disappear into thin air when a task is delegated, but rather is transformed, is a legal principle and definitely not new. Although the person responsible gets rid of the actual realisation of a task, the assistant used for this must be carefully selected and appropriately monitored. Unfortunately, however, those responsible repeatedly refuse to recognise this. It is hard to count how many times, even in certification audits, the objection is raised that the service provider is used precisely because they can do the job much better than you and therefore you have done everything reasonable.
It is also very often argued that the obligations do not apply or only apply to a limited extent in view of the low risk. However, this is incorrect and demonstrates an incorrect basic understanding. The formal requirements of the GDPR must always be met, regardless of the risk. Only the security of the processing and its control can and should be designed in a risk-appropriate manner. The need for a suitable contract does not cease to apply because it concerns trivial personal data!
It is no secret that the fulfilment of these requirements will often be very difficult in practice.
Even the contracts with sub-processors hardly stand up to even a cursory examination. Above all, however, very few processors and sub-processors are prepared for the fact that there may be other responsible parties above their own client. The drafting of contracts regularly fails to address this position.
Processors would be well advised not to promise anything at the top that they cannot demand at the bottom. Very few service providers currently have their contracts reviewed and adapted so that they assume a hybrid position in which they are both client and contractor. It is extremely important that at least the contracts to which you are a party are harmonised and describe precisely and conclusively in both directions what is promised and can be demanded. However, since this is often not implemented correctly in the first data processing agreement in the series, it only becomes more difficult further down the chain.
Conclusion
Given the liability rules and the risk of liability, it is astonishing that so few companies obtain sufficiently competent advice. Data processing agreements are seen as an accessory. The fact that these are legally binding and fully binding contracts is often not recognised.
The statutory liability rules are added to this and the judgments are piling up. The Higher Regional Court of Dresden (judgment of 15 October 2024 – 4 U 940/24) has just confirmed that a company’s own liability can only be waived if the service provider used has been carefully selected and actually carefully checked.
