The European Data Protection Board (EDPB) has published Opinion 22/2024, which provides key clarifications on the data protection control responsibility of the controller in data processing. The statements are particularly important for multi-level contractual relationships and strengthen the role of the controller: they cannot evade their obligations by delegation.
Key clarifications by the EDPB
1. Knowledge of all parties involved is required
Controllers must be able to identify all processors and sub-processors involved in the processing. This is the only way to properly fulfil the data subjects‘ rights to information under Article 15 GDPR.
2. Responsibility across the entire processing chain
Overall responsibility for data protection remains with the controller, regardless of the number of processors involved. This follows from Art. 24 (1) and Art. 28 (1) GDPR. Effective monitoring of compliance with data protection requirements must be ensured at all levels.
3. Risk-based review of subcontracting relationships
The requirements for control measures increase depending on the risk of the processing. In the case of particularly risky processing, an immediate review of individual subcontractors may be necessary.
4. Access to subcontracting agreements
The Controller has the right to request that subcontracting agreements be made available to them. This is particularly the case if there are specific doubts about their compliance with data protection regulations or if weaknesses have been identified.
Requirements for transfers to third countries
1. Compliance with the provisions of Chapter V of the GDPR
Controllers must ensure that any data transfer to a third country is based on a valid legal basis and complies with the provisions of Chapter V of the GDPR.
2. Existence of an adequacy decision
If such a decision has been made by the EU Commission for the destination country, no further review is necessary.
3. Appropriate safeguards in the absence of an adequacy decision
In the absence of an adequacy decision, appropriate safeguards – such as standard data protection clauses – are required. In addition, a so-called Transfer Impact Assessment (TIA) must be carried out.
4. Plausibility check of the TIA by the controller
The controller cannot rely on the assessment of the processor, but must verify and document the plausibility of the checks carried out.
Conclusion
The EDPB’s statement underlines the inalienable responsibility of the controller at all stages of data processing. The intensity of the checks depends on the specific risk of the processing. However, the data protection accountability remains in any case.
Data Protection Officers are well advised to critically review existing processes for selecting and monitoring (sub-)processors and to further develop them in a risk-oriented manner. Controllers should involve their Data Protection Officers in the selection and review processes at an early stage.
Further information:
- EDSA opinion of 9 October 2024: https://www.edpb.europa.eu/news/news/2024/edpb-adopts-opinion-processors-guidelines-legitimate-interest-statement-draft_de
- Overview of adequacy decisions by the European Commission https://datenschutz.hessen.de/datenschutz/internationaler-datentransfer/angemessenheitsbeschluesse-der-europaeischen-kommission
Source (in German published 9 June 2025): https://www.adorgasolutions.de/kontrollpflichten-bei-ketten-auftragsverarbeitung-edsa-schafft-klarheit/
