European Union: Adopted EDPB opinion 22/2024 on obligations following from the reliance on processors and sub-processors

On 7 October 2024, the European Data Protection Board (EDPB) adopted an opinion on the obligations following the reliance on processors and sub-processors. The opinion was adopted following a request from the Danish Supervisory Authority to clarify aspects of Article 28 of the General Data Protection Regulation (GDPR) on processors, particularly regarding controller-processor contracts and transfers of personal data outside the European Economic Area. The opinion highlights that controllers must always have the identity of processors and sub-processors readily available, and processors must provide sufficient guarantees. It also clarifies that controllers are responsible for verifying these guarantees, with increased scrutiny for high-risk processing. EDPB also addresses the wording of contracts, advising that processors follow documented instructions unless required by law, and stresses that third-country transfers must not undermine the GDPR’s protections.