[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcFEZ6BcxbdQv0aMNdqu-a8qSmv6vaGQVc5R8LiOf528":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":68,"imageUrl":69,"imageThumbUrls":70,"id":78},false,"On **7 October 2024**, the **European Data Protection Board (EDPB)** [issued an opinion clarifying certain obligations under the **General Data Protection Regulation (GDPR)** arising from the **use of processors and subprocessors**.](https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf)This opinion complements the EDPB’s **2020 Guidelines** on the concepts of *controller* and *processor*, and provides updated guidance for **data controllers engaging in complex chains of subprocessing arrangements**.\r\n\r\nDiscover the key takeaways from the EDPB’s opinion below. Although it is a non-binding consultative opinion, it serves as an influential reference for anticipating how supervisory authorities may interpret the GDPR.\r\n\r\n## 🏛️What responsibility in the processing chain?\r\n\r\nSince the GDPR’s entry into force, controllers have been subject not only to substantive obligations, but also to the **duty to demonstrate compliance** (Article 5(2) — the **accountability principle**).\r\n\r\nIn subprocessing chains, particularly those involving multiple tiers (e.g., processor → subprocessor → sub-subprocessor), **compliance becomes more operationally demanding**, but the **controller's accountability remains unchanged**.\r\n\r\n> ⚠️ The EDPB makes it clear: **complexity in the processing chain does not relieve the controller of responsibility**.\r\n\r\nWhile the initial processor bears contractual responsibility for its subprocessors, the **data controller must independently verify** that **all processors in the chain provide sufficient guarantees** (Article 28(1) GDPR) regarding the implementation of **appropriate technical and organisational measures** to ensure **continuous protection of data subjects’ rights**.\r\n\r\nMoreover, although processors may play a role in the **selection and evaluation** of subsequent processors, the **final decision and legal liability** for engaging them **rests solely with the controller**.\r\n\r\n👉 The data controller must therefore verify and document that **each actor in the chain** provides sufficient technical and organizational guarantees to protect personal data.\r\n\r\n## 🔍Verifying Subprocessor Guarantees: A Legal Obligation\r\n\r\n### Identifying the chain of processors: a prerequisite\r\n\r\nPer the EDPB, **controllers must maintain up-to-date and comprehensive records** identifying all processors and subprocessors, including:\r\n\r\n- Name, address, and contact details of each entity\r\n\r\n- Timely updates of any changes\r\n\r\n- Inclusion of this list in contractual arrangements\r\n\r\nThis transparency is necessary for fulfilling the information requirements under **Articles 13 and 14 GDPR** and for facilitating the exercise of data subject rights (e.g., access, objection).\r\n\r\n### Verifying Documentation\r\n\r\nThe controller must go **beyond mere identification** and carry out **substantive due diligence** to verify that processors meet GDPR requirements. This may include:\r\n\r\n- Verification of **adherence to codes of conduct** (Art. 40 GDPR)\r\n\r\n- Assessment of **certifications** (Art. 42 GDPR)\r\n\r\n- Review of **security and privacy policies**, **terms of use**\r\n\r\n- Deployment of **evaluation questionnaires**\r\n\r\n- Performance of **on-site or remote audits**\r\n\r\n> 🔔 The EDPB stresses that **these verifications are mandatory**, regardless of risk level, but must be **proportionate to the specific risks** involved.\r\n\r\nFor high-risk processing activities—e.g., involving **special categories of data** (Art. 9 GDPR)—controllers are expected to:\r\n\r\n- Conduct enhanced due diligence\r\n\r\n- Request additional guarantees or documentation\r\n\r\n- Consult independent or public sources\r\n\r\n- Establish audit mechanisms and regular compliance checks\r\n\r\n### Should Controllers Obtain Contracts Between Processors and Subprocessors?\r\n\r\nThe EDPB offers a **context-dependent** approach. Controllers are **not systematically required** to request these downstream contracts.However, they **should do so** where:\r\n\r\n- There are **indications of non-compliance** or **prior data breaches** by subprocessors\r\n\r\n- The controller is otherwise **unable to assess the level of guarantees**\r\n\r\nUpon request, **processors are required to make these contracts available**. The controller must ensure that contracts:\r\n\r\n- Comply with **Article 28 GDPR**, including all mandatory provisions\r\n\r\n- Address any scenarios in which a processor may act **outside of the controller’s instructions**, such as legal obligations or binding orders from public authorities\r\n\r\n> 📌 Reviewing contractual clauses is necessary, but **not sufficient**. Controllers must also factor in **practical implementation and evidence of compliance**.\r\n\r\n## 🌍What about International Data Transfers in Subprocessing chains?\r\n\r\nWhere processors or subprocessors transfer personal data **outside the EU/EEA**, the controller remains responsible for ensuring that **appropriate safeguards are in place** (Chapter V GDPR).\r\n\r\nControllers must:\r\n\r\n- Obtain and assess documentation including:\r\n\r\n  - The **legal basis** for the transfer (e.g., adequacy decision, SCCs)\r\n\r\n  - **Transfer impact assessments**\r\n\r\n  - **Supplementary measures** if applicable\r\n\r\n  - The relevant **data transfer agreement**\r\n\r\n- Maintain a **transfer map** to document all international data flows\r\n\r\n> The existence of data transfers to third countries outside the EU/EEA constitutes a risk factor that may necessitate enhanced levels of verification by the data controller.\r\n>\r\n> For example: the **mere existence of an adequacy decision** is insufficient. Controllers must verify that the processing **falls within its scope** and that the decision remains **valid and applicable**.\r\n\r\n## 🧑‍🚀Streamline Your Verification Processes with Dastra\r\n\r\nThe EDPB acknowledges the **operational complexity** of managing cascading subprocessing chains.Despite this, **the accountability obligation remains fully enforceable**, with **no exception or derogation** based on scale or sector.\r\n\r\n#### How can Dastra help?\r\n\r\nWith Dastra, data controllers can:\r\n\r\n- **Map** all subprocessors and their relationships\r\n\r\n- **Centralize** contracts and key documentation\r\n\r\n- **Generate** and store compliant contractual frameworks\r\n\r\n- **Launch automated assessments** through built-in questionnaires\r\n\r\n- **Monitor lifecycle changes** of subprocessors\r\n\r\n- **Track and document** international data transfers\r\n\r\n> 🧭 Dastra enables controllers to meet their GDPR obligations effectively, even in **highly complex processing ecosystems**.\r\n>\r\n> Let Dastra simplify your compliance journey, [get started now!](https://www.dastra.eu/en/contacts/demo)","\u003Cp>On \u003Cstrong>7 October 2024\u003C/strong>, the \u003Cstrong>European Data Protection Board (EDPB)\u003C/strong> \u003Ca href=\"https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf\" rel=\"nofollow\">issued an opinion clarifying certain obligations under the \u003Cstrong>General Data Protection Regulation (GDPR)\u003C/strong> arising from the \u003Cstrong>use of processors and subprocessors\u003C/strong>.\u003C/a>\u003Cbr />\r\nThis opinion complements the EDPB’s \u003Cstrong>2020 Guidelines\u003C/strong> on the concepts of \u003Cem>controller\u003C/em> and \u003Cem>processor\u003C/em>, and provides updated guidance for \u003Cstrong>data controllers engaging in complex chains of subprocessing arrangements\u003C/strong>.\u003C/p>\r\n\u003Cp>Discover the key takeaways from the EDPB’s opinion below. Although it is a non-binding consultative opinion, it serves as an influential reference for anticipating how supervisory authorities may interpret the GDPR.\u003C/p>\r\n\u003Ch2 id=\"what-responsibility-in-the-processing-chain\">🏛️What responsibility in the processing chain?\u003C/h2>\r\n\u003Cp>Since the GDPR’s entry into force, controllers have been subject not only to substantive obligations, but also to the \u003Cstrong>duty to demonstrate compliance\u003C/strong> (Article 5(2) — the \u003Cstrong>accountability principle\u003C/strong>).\u003C/p>\r\n\u003Cp>In subprocessing chains, particularly those involving multiple tiers (e.g., processor → subprocessor → sub-subprocessor), \u003Cstrong>compliance becomes more operationally demanding\u003C/strong>, but the \u003Cstrong>controller's accountability remains unchanged\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>⚠️ The EDPB makes it clear: \u003Cstrong>complexity in the processing chain does not relieve the controller of responsibility\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>While the initial processor bears contractual responsibility for its subprocessors, the \u003Cstrong>data controller must independently verify\u003C/strong> that \u003Cstrong>all processors in the chain provide sufficient guarantees\u003C/strong> (Article 28(1) GDPR) regarding the implementation of \u003Cstrong>appropriate technical and organisational measures\u003C/strong> to ensure \u003Cstrong>continuous protection of data subjects’ rights\u003C/strong>.\u003C/p>\r\n\u003Cp>Moreover, although processors may play a role in the \u003Cstrong>selection and evaluation\u003C/strong> of subsequent processors, the \u003Cstrong>final decision and legal liability\u003C/strong> for engaging them \u003Cstrong>rests solely with the controller\u003C/strong>.\u003C/p>\r\n\u003Cp>👉 The data controller must therefore verify and document that \u003Cstrong>each actor in the chain\u003C/strong> provides sufficient technical and organizational guarantees to protect personal data.\u003C/p>\r\n\u003Ch2 id=\"verifying-subprocessor-guarantees-a-legal-obligation\">🔍Verifying Subprocessor Guarantees: A Legal Obligation\u003C/h2>\r\n\u003Ch3 id=\"identifying-the-chain-of-processors-a-prerequisite\">Identifying the chain of processors: a prerequisite\u003C/h3>\r\n\u003Cp>Per the EDPB, \u003Cstrong>controllers must maintain up-to-date and comprehensive records\u003C/strong> identifying all processors and subprocessors, including:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Name, address, and contact details of each entity\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Timely updates of any changes\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Inclusion of this list in contractual arrangements\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>This transparency is necessary for fulfilling the information requirements under \u003Cstrong>Articles 13 and 14 GDPR\u003C/strong> and for facilitating the exercise of data subject rights (e.g., access, objection).\u003C/p>\r\n\u003Ch3 id=\"verifying-documentation\">Verifying Documentation\u003C/h3>\r\n\u003Cp>The controller must go \u003Cstrong>beyond mere identification\u003C/strong> and carry out \u003Cstrong>substantive due diligence\u003C/strong> to verify that processors meet GDPR requirements. This may include:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Verification of \u003Cstrong>adherence to codes of conduct\u003C/strong> (Art. 40 GDPR)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Assessment of \u003Cstrong>certifications\u003C/strong> (Art. 42 GDPR)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Review of \u003Cstrong>security and privacy policies\u003C/strong>, \u003Cstrong>terms of use\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Deployment of \u003Cstrong>evaluation questionnaires\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Performance of \u003Cstrong>on-site or remote audits\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>🔔 The EDPB stresses that \u003Cstrong>these verifications are mandatory\u003C/strong>, regardless of risk level, but must be \u003Cstrong>proportionate to the specific risks\u003C/strong> involved.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>For high-risk processing activities—e.g., involving \u003Cstrong>special categories of data\u003C/strong> (Art. 9 GDPR)—controllers are expected to:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Conduct enhanced due diligence\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Request additional guarantees or documentation\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Consult independent or public sources\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Establish audit mechanisms and regular compliance checks\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"should-controllers-obtain-contracts-between-processors-and-subprocessors\">Should Controllers Obtain Contracts Between Processors and Subprocessors?\u003C/h3>\r\n\u003Cp>The EDPB offers a \u003Cstrong>context-dependent\u003C/strong> approach. Controllers are \u003Cstrong>not systematically required\u003C/strong> to request these downstream contracts.\u003Cbr />\r\nHowever, they \u003Cstrong>should do so\u003C/strong> where:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>There are \u003Cstrong>indications of non-compliance\u003C/strong> or \u003Cstrong>prior data breaches\u003C/strong> by subprocessors\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The controller is otherwise \u003Cstrong>unable to assess the level of guarantees\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Upon request, \u003Cstrong>processors are required to make these contracts available\u003C/strong>. The controller must ensure that contracts:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Comply with \u003Cstrong>Article 28 GDPR\u003C/strong>, including all mandatory provisions\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Address any scenarios in which a processor may act \u003Cstrong>outside of the controller’s instructions\u003C/strong>, such as legal obligations or binding orders from public authorities\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>📌 Reviewing contractual clauses is necessary, but \u003Cstrong>not sufficient\u003C/strong>. Controllers must also factor in \u003Cstrong>practical implementation and evidence of compliance\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"what-about-international-data-transfers-in-subprocessing-chains\">🌍What about International Data Transfers in Subprocessing chains?\u003C/h2>\r\n\u003Cp>Where processors or subprocessors transfer personal data \u003Cstrong>outside the EU/EEA\u003C/strong>, the controller remains responsible for ensuring that \u003Cstrong>appropriate safeguards are in place\u003C/strong> (Chapter V GDPR).\u003C/p>\r\n\u003Cp>Controllers must:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Obtain and assess documentation including:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>The \u003Cstrong>legal basis\u003C/strong> for the transfer (e.g., adequacy decision, SCCs)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Transfer impact assessments\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Supplementary measures\u003C/strong> if applicable\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The relevant \u003Cstrong>data transfer agreement\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Maintain a \u003Cstrong>transfer map\u003C/strong> to document all international data flows\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>The existence of data transfers to third countries outside the EU/EEA constitutes a risk factor that may necessitate enhanced levels of verification by the data controller.\u003C/p>\r\n\u003Cp>For example: the \u003Cstrong>mere existence of an adequacy decision\u003C/strong> is insufficient. Controllers must verify that the processing \u003Cstrong>falls within its scope\u003C/strong> and that the decision remains \u003Cstrong>valid and applicable\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"streamline-your-verification-processes-with-dastra\">🧑‍🚀Streamline Your Verification Processes with Dastra\u003C/h2>\r\n\u003Cp>The EDPB acknowledges the \u003Cstrong>operational complexity\u003C/strong> of managing cascading subprocessing chains.\u003Cbr />\r\nDespite this, \u003Cstrong>the accountability obligation remains fully enforceable\u003C/strong>, with \u003Cstrong>no exception or derogation\u003C/strong> based on scale or sector.\u003C/p>\r\n\u003Ch4 id=\"how-can-dastra-help\">How can Dastra help?\u003C/h4>\r\n\u003Cp>With Dastra, data controllers can:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Map\u003C/strong> all subprocessors and their relationships\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Centralize\u003C/strong> contracts and key documentation\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Generate\u003C/strong> and store compliant contractual frameworks\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Launch automated assessments\u003C/strong> through built-in questionnaires\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Monitor lifecycle changes\u003C/strong> of subprocessors\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Track and document\u003C/strong> international data transfers\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>🧭 Dastra enables controllers to meet their GDPR obligations effectively, even in \u003Cstrong>highly complex processing ecosystems\u003C/strong>.\u003C/p>\r\n\u003Cp>Let Dastra simplify your compliance journey, \u003Ca href=\"https://www.dastra.eu/en/contacts/demo\">get started now!\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n"," Subprocessing under the GDPR","Faced with increasingly complex subcontracting chains, the position taken by the EDPS clarifies a fundamental point of the GDPR: responsibility cannot be delega",865,5," Subprocessing under the GDPR: Key Implications of the EDPB’s October 2024 Opinion",0,null,"en","gdpr-subcontracting-what-changes-with-the-opinions-of-the-edpb-in-october-2024","Faced with increasingly complex subcontracting chains, the position taken by the EDPS clarifies a fundamental point of the GDPR: responsibility cannot be delegated.","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-04-09T06:00:00","2025-04-07T12:02:57.4451639","2025-04-09T10:39:12.4087603",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43,48],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},{"id":49,"name":50,"description":51,"url":52,"color":53,"parentId":27,"count":13,"imageUrl":13,"parent":54,"order":10,"translations":59},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":55},[56,57,58],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[60,62,65],{"lang":34,"name":50,"description":61},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":40,"name":63,"description":64},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":37,"name":66,"description":67},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-original.jpg",[71,72,73,74,75,76,77],"https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-1000.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-1500.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-800.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-600.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-300.webp","https://static.dastra.eu/content/5f75ad6b-bbc5-4745-8743-b2f6b3da368b/visuel-article-2-100.webp",59029]