The European Data Protection Board has adopted an opinion on the obligations arising from Article 28 of the Data Protection Regulation on the data controller’s use of (sub)data processors, including the data controller’s documentation obligation when using (sub)data processors.
At the plenary meeting on 7-8 October 2024, the European Data Protection Board (EDPB) adopted an opinion pursuant to Article 64, paragraph 1 of the Data Protection Regulation. 2 on the obligations of data controllers when using data processors. The Danish Data Protection Authority has actively participated in the work on the statement, particularly because it was important to the authority that a clear common understanding of the rules surrounding the data controller’s use of data processors in complex services was formulated – and equally important that this understanding will be enforced equally across the national supervisory authorities.
The request for the opinion was made by the Danish Data Protection Authority in light of the fact that many data controllers – both in Denmark and in the rest of Europe – make extensive use of data processors, particularly in connection with the use of cloud services, where the cloud supplier often uses a number of subcontractors for use in the delivery of its services. One of the areas with which many data controllers continuously experience challenges is the question of the documentation that the data controllers must provide in order to ultimately ensure compliance with the GDPR.
It is therefore positive that there has now been a pan-European opinion in this area.
EDPB opinion
In the statement, the EDPB addresses i.a. the question of the extent to which the data controller must be able to identify all its data processors, and the extent to which the data controller must verify and document that sub-processors are in fact subject to the same data protection obligations as the first data processor.
The statement also addresses the issue of the data controller’s documentation obligation in the situation where a data processor within the EU/EEA transfers personal data to a (sub)data processor in a third country.