Who’s responsible for what? EDPB’s opinion on the responsibilities of controllers and processors

The European Data Protection Board (EDPB) has adopted an Opinion on the split of controller and processor responsibilities and the implications for their contractual arrangements. This reflects, in the main, a one-size-fits-all approach, with the requirements applying regardless of whether the arrangement involves long-term, large-scale processing of personal data, or whether the personal data that is processed is minor and ancillary to the services. With the complexity of supply chains, this potentially leads to some challenges in the real world.

The Opinion emphasises that controllers are ultimately responsible for a range of obligations, most of which are under the day-to-day control of their processors and sub-processors. This will entail consideration by controllers as to how they manage their processor supply chains in future given the EDPB’s focus on the controller’s oversight of the processing through the chain, and will require more proactive engagement and overview of the processors’ (and sub-processors’) compliance. It will also have a knock-on impact in other areas, such as privacy notices and records of processing, given that the EDPB clarifies that all those processing personal data (ie all the way down the chain) should be included in these as “recipients” of personal data.

Market practice had settled on the approach to incorporating the mandatory processor terms of Article 28(3) of the General Data Protection Regulation (GDPR). The Opinion however necessitates changes to this, and in some cases requires a position which has been opposed by processors to date. Key changes required to be reflected include the following.

Sub-processors

• If the controller accepts certain sub-processors at the time of contract, they should be listed in the contract.
   
• Processors must proactively keep controllers informed of the identity and processing activities of sub-processors (and those further down the chain) – this includes the name and address of the organisations and details of the relevant contact person at each.
   
• If the controller gives general authorisation to appoint sub-processors, the processor must give the controller the opportunity to approve a list of them at the time of contract. The contract must also set out a criteria for the processor to use when selecting sub-processors going forward.

International transfers

• Before making an international transfer, processors (and sub-processors) need to provide the controller with a copy of the transfer risk assessment and completed standard contractual clauses. Controllers also need the ability to ask for additional information if following their review of these materials they don’t consider them to be sufficient.
   
• If the (sub-)processor is relying on an adequacy decision, they need to inform the controller of this so that the controller can check that the adequacy decision covers the relevant transfer. 

Copies of sub-processor contracts 

• Controllers need to have the right to request copies of sub-processor contracts so that they can, if necessary, ensure that obligations have been passed down the chain.

Whilst EDPB opinions are not binding per se, they reflect the agreed common understanding of the data protection authorities of the EU member states. This Opinion will therefore be followed by them and we can expect to see this reflected in their own guidance and enforcement actions in due course.

Given Brexit, the Information Commissioner’s Office (ICO) no longer needs to follow EDPB opinions. However, the ICO still considers them as providing helpful guidance on certain issues. It will therefore be interesting to see if and to what extent the ICO decides to reflect the Opinion in its own guidance. Even if it stays silent, this doesn’t of course mean that it wouldn’t look to the Opinion should it be relevant in a particular case in future.

Even companies that are not subject to the EU GDPR should therefore be mindful of this Opinion, albeit there is greater flexibility as to which aspects to adopt. The Opinion is also likely to guide market practice more widely and so will have a knock-on impact on the UK. That said, there has already been commentary from organisations representing the processor industry pushing back on the EDPB’s interpretation of the relevant GDPR provisions. It will therefore be interesting to see where market practice lands.