Donnerstag, 10. Oktober 2024

EDPB: Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)

Yesterday, the EDBP has issued its Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s), which has been adopted on 7 October 2024. The opinion is based on certain questions from the Danish SA which seem to be - at least partly - based on the findings of the first coordinated enforcement action within the Coordinated Enforcement Framework (CEF) regarding use of cloud services in the public sector. Therefore, the opinion is of relevance to all controllers whose processing activities are fully or parlty “outsourced” to cloud service providers (processors and their sub-processors).

Some quick excerpts (highlighting is mine):

  • Margin no 25: In cases where the controller decides to accept certain sub-processors at the time of the signature of the contract, a list of approved sub-processors should be included in the contract or an annex thereto. The list should then be kept up to date, in accordance with the general or specific authorisation given by the controller. […]
  • No.28: This means that the information relating to the identification of all of the processor’s sub-processors should be easily accessible to the controller. […]
  • No. 31: While this is not explicit in these provisions, the Board considers that for the purpose of Article 28(1) and 28(2) GDPR, controllers should have the information on the identity of all processors, sub-processors etc. readily available at all times27 so that they can best fulfil their obligations under the provisions mentioned above. […]
  •  No. 32: To this end, the processor should proactively provide to the controller all information on the identity of all processors, sub-processors etc. processing on behalf of the controller, and should keep this information regarding all engaged sub-processors up to date at all times.
  • No 88: As a first step, where personal data will be transferred to third countries in connection with the use of (sub-)processors, the controller should assess and be able to show documentation relating to the transfer mapping. The controller should ensure that a transfer mapping is carried out by the exporter (which processes personal data on its behalf), setting out which personal data are transferred (including remote access), where, and for which purposes. […]
Tag(s): EDPB, Cloud, Auftragsverarbeiter, DSGVO
  • Gepostet von um 11:59:44 in
  • 593 Aufruf(e)
DSGVO: Wann ist die mangelnde Verfügbarkeit ein "Data breach"? »
« EC issues its report on the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework