EDPB Opinion: How far down the supply chain do controller duties extend?

All the way down, as the EDPB highlights its high expectations from controllers in managing processors and sub-processors

In a nutshell

On 7 October 2024, the European Data Protection Board ("EDPB") adopted Opinion 22/2004 (the "Opinion"), addressing key questions principally controllers' duties under Article 28 of the EU GDPR when relying on processors and sub-processors (see here).

The Opinion provides insights into the EDPB's relatively high expectation for controllers in managing processors and sub-processors along the full length of the supply chain – with some requirements absolute and others commensurate to the risk of the data processing activity down the supply chain. For example, controllers must at all times have readily available information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. as well as a description of the processing (including a clear "delineation of responsibilities"), so that they can best fulfil their obligations under Article 28. This requirement applies regardless of the risk associated with the processing activity.

The EDPB reiterates its Guidelines 07/2020 (on the concepts of controllers and processors in the GDPR) (the "2020 Guidelines") in a number of places as the rationale for some of the statements in its Opinion. Whilst to some the Opinion may be regarded as current "good" or "best" market practice already, other stakeholders have criticised the Opinion, stating that "imposing such an end-to-end requirement would overburden businesses" and would be "unrealistic" – particularly for long complex data processing supply chains, where cloud service providers are involved or entities located in third countries. 

We may see both controllers and processors revisit their existing data processing / sub-processing arrangements in light of the transparency and oversight highlighted by the Opinion.

Although the ICO is not bound by EDPB opinions, it remains to be seen whether the UK data protection authority will consider this Opinion when interpreting (and enforcing) the same provisions under the UK GDPR. 

The Opinion was prompted by a request from the Danish Supervisory Authority and aims to ensure consistent application of the EU GDPR by the national supervisory authorities ("SAs") across the European Economic Area ("EEA") but appears to impose significant (additional) burdens on controllers in relation to managing their supply chain.

We set out below a deeper dive of the areas covered by the Opinion.

(1) Understanding your duties as a controller in the data processing supply chain

• Identifying actors in the processing chain

The EDPB states that controllers must at all times have readily available information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. as well as a description of the processing (including a clear "delineation of responsibilities"), so that they can best fulfil their obligations under Article 28. This requirement applies regardless of the risk associated with the processing activity.

The engagement of additional processors by the initial processor, requires prior specific or general written authorisation from the controller under Article 28(2), EU GDPR. The Opinion reiterates elements of the 2020 Guidelines which set out practical guidance around use of specific authorisation or general authorisation. In particular, the processor should "proactively provide" this information to the controller and "keep this information regarding engaged sub-processors up to date at all times". The controller and processor may include in the contract further details on how and in which format the processor is to provide this information.

The Business Software Alliance (the "BSA", a global advocate for the software industry before governments and in the international marketplace) has commented that: 

"This opinion challenges existing well-established practices and has major implications for businesses, especially those leveraging cloud services, to the detriment of both the controller (business customer) and processor (cloud service provider)…The EDPB's decision introduces a significant new requirement on data controllers to be aware of all processors in their entire sub-processing chain and on data processors to proactively provide such information to the controllers. Imposing such an end-to-end requirement would overburden businesses, especially small and medium-sized enterprises (SMEs), without providing real improvements in the level of data protection. It would also be unrealistic for both cloud service providers acting as processors and their business customers acting as controllers."

In particular, the requirements of the Opinion may be considered by some to be contrary to the GDPR which appeared to break the chain of responsibility by imposing obligations on processors not just controllers.

• Verification and documentation by the controller of the sufficiency of the guarantees provided by all processors in the processing chain

Under Article 28(1) EU GDPR, controllers must only engage processors to carry out processing on their behalf, where the processor provides 'sufficient guarantees' to implement 'appropriate' technical and organisational measures to ensure the processing meets the requirements of the EU GDPR and protects data subject rights. Accordingly, the Opinion states that the engagement of processors should not compromise the level of protection of data subject rights (compared to where the controller directly carries out the processing).

The Opinion highlights that the controller's obligation to verify whether the (sub-) processors present 'sufficient guarantees' to implement the appropriate measures applies regardless of the risk to rights and freedoms of data subjects. However, the extent of such verification may vary depending on the nature of those technical and organisational measures, which is determined by the controller based on the level of risk associated with the processing.

These considerations hold true even if the chain of processing is long and complex with different processors, sub-processors etc involved at different stages of the processing activities.

Articles 28(2) and (4) EU GDPR stipulate that the initial processor should ensure it proposes sub-processors that provide sufficient guarantees. The initial processor therefore has a role to play in the choice of sub-processors and in verifying the guarantees that sub-processors provide and should provide the controller with sufficient information. This is consistent with the fact that the initial processor remains fully liable to the controller for performance of the sub-processors' obligations (Article 28(4), EU GDPR).

However, the ultimate decision to engage a specific sub-processor, along with the associated responsibility for verifying these guarantees, remains with the controller. As such, supervisory authorities should assess whether the controller can demonstrate that it has satisfactorily verified these guarantees.

• Verification of contract between initial processor and the additional processors

The initial processor is legally (Article 28(4), EU GDPR) and contractually required to pass down the same data protection obligations in the sub-processing contracts it concludes with additional processors. Similarly, the additional processors will be contractually required by the initial processor to impose the same data protection obligations on their own processors, and so on down the processing chain.

The EDPB Opinion re-iterates that if a sub-processor fails to fulfil its obligations, the ultimate responsibility for performance of that other sub-processor's obligations rests with the controller. However, the initial processor will remain liable to the controller and the controller can bring a contractual claim against its initial processor for failure to pass down the data protection obligations in sub-processing contracts.

The Opinion also reiterates the controller should take into account several elements when verifying the guarantees provided by processors and an exchange of relevant information / documentation will often be required. For example, the 2020 Guidelines refer to policies and documentation such as privacy policies, terms of service, records of processing activities, information security policies, recognised certifications such as the ISO 27000 series.

When it comes to documentation as part of the verification process, the controller has the option to rely on the information received from its initial processor and build on it if needed. For processing presenting a high risk to rights and freedoms of data subjects, the controller should increase its level of verification in terms of checking the information provided.

The controller may increase the level of its verification by verifying the sub-processing contracts by itself and/or also impose extended verification and documentation requirements on the initial processor. However, the Opinion states that the controller is not under a duty to systematically ask for the sub-processing contracts to check whether the data protection obligations provided for in the initial contract have been passed down the processing chain. Instead, the controller should decide on a case-by-case basis if obtaining or reviewing these contracts is necessary to demonstrate compliance in light of the accountability principle.

That said, the Opinion highlights that a copy of the sub-processing contracts may help to ensure compliance with Article 28(1); and for the controller to demonstrate that its processors and sub-processors present sufficient guarantees (including that the processor complies with Article 28(4), EU GDPR). However, the EDPB also acknowledges that guarantees in writing in the contract cannot, by themselves, demonstrate that the sufficient guarantees are effectively implemented by the parties to the contract.

In the context of exercising its right of audit under Article 28(3)(h) EU GDPR, the controller should also have a process in place to undertake "audit campaigns" to check sampling verifications that the contracts with its sub-processors contain the necessary data protection obligations.

• International data transfers where controller is not the exporter

When personal data is transferred outside of the EEA between two (sub-)processors in accordance with the controller's instructions, again the controller must verify that 'sufficient guarantees' are in place. Considering that the transfer is a processing activity carried out on behalf of the controller, the controller is also responsible and could be liable under Chapter V EU GDPR as well.

The processor / exporter should prepare the relevant documentation (e.g. transfer mapping, ground for transfer used and, where applicable, transfer impact assessment and supplementary measures), and the controller should assess and be able to present the documentation to the competent supervisory authority. Similarly, the controller may rely on the documentation or information received from the processor/exporter and if necessary, build on it. The extent of the controller's duty to assess this documentation may depend on the ground used for the transfer and whether the transfer constitutes an initial or onwards transfer.

Given the controller should be able to show documentation demonstrating that onward transfers comply with the relevant transfer mechanism under Article 46, EU GDPR, the Opinion provides further detail on the controller's responsibilities for onward transfers down the processing chain, including the need to assess and follow up with the processor regarding documentation it has prepared, if incomplete, incorrect or raises a question.

Whilst the EDPB acknowledges that obtaining information about onwards transfers gives rise to "practical difficulties" these "do not exonerate the controller from its responsibilities".

(2) Wording of (sub-)processing contracts

Article 28(3)(a) EU GDPR requires that a controller-processor contract or other legal act shall state that the processor processes the personal data "only on documented instructions from the controller… unless required to do so by Union or Member State law to which the processor is subject". The Opinion confirms that including this wording in (sub-)processing contracts is highly recommended but not mandatory. Parties can adopt similar phrases like “unless required to do so by law or binding order of a governmental body”. However, these clauses do not exonerate the processor from complying with EU GDPR obligations.

For personal data transferred outside of the EEA, the EDPB advises that the phrase “unless required to do so by law or binding order of a governmental body” may not be sufficient to comply with Article 28(3)(a) and Chapter V of the EU GDPR. Parties should distinguish between third country laws that undermine GDPR protection and those that do not.