Processor and Sub-Processor Obligations (EDPB Opinion 22/2024)

Processor and Sub-Processor Obligations (EDPB Opinion 22/2024) – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Understanding the obligations of processors and sub-processors is a cornerstone of European data protection law and a critical topic for the CIPP/E examination. The European Data Protection Board (EDPB) issued Opinion 22/2024 to provide further clarity on the interpretation and practical application of Articles 28 and related provisions of the GDPR concerning processor and sub-processor relationships. This guide will walk you through why this topic matters, what it entails, how it works in practice, and how to approach exam questions on this subject with confidence.

Why Is This Topic Important?

The processor and sub-processor framework is one of the most frequently tested areas in the CIPP/E exam for several reasons:

1. Prevalence in practice: Almost every organisation relies on third-party service providers (processors) to handle personal data, from cloud computing services to payroll providers. Understanding the legal obligations governing these relationships is essential for any data protection professional.

2. Regulatory enforcement: Supervisory authorities across the EEA have issued significant fines and corrective measures for failures related to processor agreements, inadequate oversight of sub-processors, and unauthorised sub-processing. The EDPB's Opinion 22/2024 was issued partly in response to divergent national interpretations, making it a high-priority harmonisation instrument.

3. Accountability principle: The GDPR places the controller at the centre of accountability, but processors and sub-processors carry direct obligations as well. A misunderstanding of who bears which responsibilities can lead to compliance failures and exam errors alike.

4. Supply chain complexity: Modern data processing ecosystems involve multiple layers of sub-processing. EDPB Opinion 22/2024 addresses the cascading nature of obligations through the sub-processing chain, which is a nuanced and frequently examined concept.

What Are Processor and Sub-Processor Obligations?

Defining Key Roles

Under Article 4 GDPR:
- A controller determines the purposes and means of processing personal data.
- A processor processes personal data on behalf of the controller.
- A sub-processor is another processor engaged by the processor to carry out specific processing activities on behalf of the controller.

Core Legal Basis: Article 28 GDPR

Article 28 GDPR sets out the framework for processor obligations, including:

- Article 28(1): Controllers must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.
- Article 28(2): Processors shall not engage another processor (sub-processor) without prior specific or general written authorisation of the controller.
- Article 28(3): Processing by a processor must be governed by a contract or legal act (the Data Processing Agreement, or DPA) that sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller.
- Article 28(4): When a sub-processor is engaged, the same data protection obligations as set out in the controller-processor contract must be imposed on the sub-processor, particularly providing sufficient guarantees.

What EDPB Opinion 22/2024 Clarifies

The EDPB Opinion 22/2024 provides authoritative guidance on several contentious and complex aspects of processor and sub-processor obligations:

1. Scope of processor obligations under the GDPR: The Opinion clarifies that processors have direct obligations under the GDPR (e.g., Articles 28, 29, 30(2), 32, 33(2), 37, and Chapter V on international transfers), and these are not merely contractual but statutory in nature.

2. General vs. specific authorisation for sub-processors: The Opinion elaborates on how general written authorisation works in practice. When a controller provides general authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object.

3. The right to object to sub-processors: EDPB Opinion 22/2024 stresses that the controller's right to object must be meaningful and effective. A mere notification without a genuine ability to object does not satisfy Article 28(2). The Opinion addresses situations where processors present changes on a take-it-or-leave-it basis, noting that this may undermine the controller's ability to fulfil its accountability obligations.

4. Cascading obligations in the sub-processing chain: The Opinion emphasises that when a processor engages a sub-processor, it must impose the same data protection obligations by contract. This creates a chain of contractual accountability. If the sub-processor fails to fulfil its obligations, the initial processor remains fully liable to the controller for the performance of the sub-processor's obligations (Article 28(4)).

5. Due diligence and ongoing monitoring: Both controllers and processors have ongoing duties. Controllers must verify that processors provide sufficient guarantees not just at the time of engagement but on an ongoing basis. Processors must similarly vet their sub-processors.

6. Content of the Data Processing Agreement (DPA): The Opinion provides guidance on the mandatory elements of a DPA, including how to address sub-processing, international transfers, data breach notification, data subject rights assistance, and audit rights.

7. Processor acting outside instructions: If a processor determines the purposes and means of processing beyond what the controller has instructed, that processor is considered a controller in respect of that processing (Article 28(10)). Opinion 22/2024 reinforces that this determination must be assessed factually, not merely based on contractual labels.

How Does It Work in Practice?

Step 1: Selecting a Processor

The controller must conduct due diligence before engaging a processor. This includes assessing:
- The processor's technical and organisational measures (security, encryption, access controls).
- The processor's track record and certifications (e.g., ISO 27001, approved codes of conduct).
- The processor's ability to assist the controller with data subject requests, breach notifications, and DPIAs.

Step 2: Entering Into a Data Processing Agreement

A binding DPA must be in place before processing begins. Per Article 28(3), the DPA must specify:
- The subject matter and duration of processing.
- The nature and purpose of processing.
- The types of personal data and categories of data subjects.
- The controller's instructions and the processor's obligation to follow them.
- Confidentiality obligations.
- Security measures under Article 32.
- Conditions for engaging sub-processors.
- Assistance obligations (data subject rights, breach notification, DPIAs).
- Deletion or return of data upon termination.
- Audit and inspection rights.

Step 3: Managing Sub-Processors

When the processor wishes to engage a sub-processor:
- Under specific authorisation: The processor must obtain the controller's explicit consent for each named sub-processor before engagement.
- Under general authorisation: The processor must inform the controller of any intended changes (additions or replacements) and provide a reasonable period for the controller to object. If the controller objects, the processor must not proceed with the sub-processor or must offer the controller the ability to terminate the contract.

The EDPB Opinion 22/2024 highlights that the objection mechanism must be genuine and not illusory. If terminating the contract is the only option and comes with significant penalties or practical barriers, this may not constitute a meaningful right to object.

Step 4: Imposing Obligations on Sub-Processors

Article 28(4) requires the processor to impose on the sub-processor, by way of a contract, the same data protection obligations as those set out in the controller-processor DPA. This includes:
- Following the controller's instructions (passed down through the chain).
- Implementing appropriate security measures.
- Assisting with data subject rights and breach notifications.
- Allowing audits.
- Deleting or returning data at the end of the relationship.

If the sub-processor fails to fulfil its obligations, the processor remains fully liable to the controller.

Step 5: Ongoing Monitoring and Audits

Controllers should not adopt a set-and-forget approach. EDPB Opinion 22/2024 underscores the importance of:
- Regular audits or inspections of processors (and, where necessary, sub-processors).
- Reviewing compliance with the DPA periodically.
- Reassessing the adequacy of technical and organisational measures in light of evolving risks.

Step 6: Handling Breaches and Incidents

Under Article 33(2), the processor must notify the controller without undue delay after becoming aware of a personal data breach. This obligation cascades: sub-processors must notify the processor, who then notifies the controller. Opinion 22/2024 clarifies that contractual arrangements should specify clear timelines and communication channels to ensure prompt notification up the chain.

Key Principles from EDPB Opinion 22/2024 for Exam Purposes

1. Processor obligations are statutory, not merely contractual. Even without a DPA in place, processors have direct GDPR obligations (though the absence of a DPA is itself a violation).

2. Labels do not determine roles. Whether an entity is a controller, processor, or sub-processor depends on the factual circumstances, not on how the parties label themselves in a contract. The EDPB reiterates that functional analysis is key.

3. The controller retains ultimate accountability. Even where processing is delegated to processors and sub-processors, the controller must be able to demonstrate compliance (Article 5(2)).

4. General authorisation requires a meaningful objection right. Take-it-or-leave-it clauses that force controllers to accept any sub-processor change or lose the service may not satisfy Article 28(2).

5. Processor liability for sub-processors is strict. Under Article 28(4), the processor is fully liable to the controller for the sub-processor's performance. This is a critical exam point.

6. International transfers add complexity. When sub-processors are located outside the EEA, the rules on international data transfers (Chapter V GDPR) must also be satisfied, in addition to the sub-processing requirements. Opinion 22/2024 reminds practitioners to ensure that transfer mechanisms are in place at every level of the processing chain.

7. Processor as controller. A processor that goes beyond the controller's instructions and determines its own purposes and means becomes a controller for that processing, with all attendant obligations and liabilities.

Exam Tips: Answering Questions on Processor and Sub-Processor Obligations (EDPB Opinion 22/2024)

Tip 1: Know the Article Numbers
The CIPP/E exam frequently references specific GDPR articles. Memorise the key provisions: Article 28 (processor obligations), Article 29 (processing under the authority of the controller), Article 30(2) (processor's records of processing), Article 32 (security), Article 33(2) (breach notification by processor), and Article 28(10) (processor acting as controller). Being able to tie a legal requirement to its article number will help you quickly identify the correct answer.

Tip 2: Distinguish Between General and Specific Authorisation
Many exam questions test whether you understand the difference between general and specific authorisation for sub-processing. Remember: specific authorisation = named sub-processors approved individually; general authorisation = blanket permission with obligation to inform of changes and provide a right to object. Under EDPB Opinion 22/2024, the right to object under general authorisation must be meaningful.

Tip 3: Focus on Liability Cascading
A favourite exam scenario involves a sub-processor causing a data breach. Remember that under Article 28(4), the processor is fully liable to the controller for the sub-processor's failures. The controller can hold the processor accountable even if the fault lies entirely with the sub-processor. This is distinct from the rules on joint and several liability for data subjects under Article 82.

Tip 4: Watch for Factual vs. Contractual Role Determination
If a question describes a scenario where a party labelled as a processor is making independent decisions about data processing purposes, recognise that this party is functionally acting as a controller. EDPB Opinion 22/2024 reinforces the principle that roles must be determined based on factual analysis, not contractual labels.

Tip 5: Remember the DPA Mandatory Elements
If asked what must be included in a processor agreement, recall the exhaustive list in Article 28(3). Common trap answers include elements that are best practice but not legally required, or elements that belong in a controller-to-controller agreement rather than a DPA.

Tip 6: Understand the Ongoing Nature of Obligations
Due diligence is not a one-time exercise. Exam questions may test whether you recognise that controllers must continuously monitor processors, and processors must continuously monitor sub-processors. EDPB Opinion 22/2024 stresses ongoing verification of sufficient guarantees.

Tip 7: International Transfer Considerations
When a question involves a sub-processor located outside the EEA, remember that both the sub-processing requirements under Article 28 AND the international transfer requirements under Chapter V must be met. Do not focus solely on one at the expense of the other.

Tip 8: Breach Notification Chain
In breach scenarios, the notification chain is: sub-processor → processor → controller → supervisory authority (and data subjects, where required). The processor must notify the controller without undue delay under Article 33(2). The controller then has 72 hours to notify the supervisory authority under Article 33(1). Exam questions often test whether you understand that the 72-hour clock starts when the controller (not the processor) becomes aware.

Tip 9: Elimination Strategy
For multiple-choice questions, eliminate answers that confuse controller and processor obligations, that suggest processors have no direct GDPR obligations (they do), or that imply sub-processors owe duties directly to the controller (their contractual relationship is with the processor, though the controller benefits from cascading obligations).

Tip 10: Apply the Accountability Principle
When in doubt, ask yourself: does this answer support the accountability principle under Article 5(2)? The GDPR is designed to ensure that controllers can demonstrate compliance throughout the processing chain. Answers that enhance transparency, documentation, and oversight tend to be correct.

Common Exam Scenarios and How to Approach Them

Scenario 1: A cloud service provider changes its sub-processor without notifying the customer.
Analysis: This likely violates Article 28(2). Under general authorisation, the processor must inform the controller of changes and provide an opportunity to object. Under specific authorisation, each sub-processor must be individually approved. EDPB Opinion 22/2024 emphasises that the notification and objection mechanism must be effective.

Scenario 2: A processor begins using personal data for its own analytics purposes.
Analysis: The processor has stepped outside the controller's instructions and is determining its own purpose for processing. Under Article 28(10), the processor is now considered a controller for that processing. It must have its own legal basis and comply with all controller obligations.

Scenario 3: A sub-processor experiences a data breach.
Analysis: The sub-processor must notify the processor without undue delay. The processor must then notify the controller without undue delay under Article 33(2). The controller must assess the risk and, if required, notify the supervisory authority within 72 hours of becoming aware. The processor remains liable to the controller for the sub-processor's failures under Article 28(4).

Scenario 4: A controller wants to audit a sub-processor directly.
Analysis: The controller's contractual relationship is with the processor, not the sub-processor. However, the controller can require in the DPA that the processor ensure audit rights over sub-processors, or that the controller can directly audit sub-processors. EDPB Opinion 22/2024 supports the principle that controllers must have effective oversight mechanisms, which may include direct or indirect audit rights over sub-processors.

Summary

Processor and sub-processor obligations under the GDPR, as clarified by EDPB Opinion 22/2024, represent a multi-layered compliance framework built on contractual obligations, statutory duties, and the overarching accountability principle. For CIPP/E exam success, focus on:

- The distinction between controller, processor, and sub-processor roles based on factual analysis.
- The mandatory elements of a DPA under Article 28(3).
- General vs. specific authorisation and the meaningful right to object.
- Cascading liability from sub-processor to processor to controller.
- The ongoing nature of due diligence and monitoring obligations.
- Breach notification chains and timelines.
- The consequences of a processor acting outside its instructions.
- International transfer requirements in the sub-processing chain.

By mastering these concepts and applying the exam tips outlined above, you will be well-prepared to tackle any question on processor and sub-processor obligations in the CIPP/E examination.