IAPP Training · Module 3 - BoK II.A

Module 3 · Sub-processors and Opinion 22/2024

A sub-processor is an entity engaged by a processor to help carry out the processing. EDPB Opinion 22/2024 makes three things clear: the controller must keep the identity of all processors and sub-processors readily available, the controller ultimately decides whether to engage a specific sub-processor, and Article 28(1) duties bite even on transfers between two sub-processors outside the EEA.

A sub-processor is another entity the processor brings in - for example, "Recruitment USA Inc." engaged by the recruitment agency. The chain of accountability still runs back to the controller.

Controllers must have readily available the identity of all processors and sub-processors in the chain.
The controller ultimately decides to engage a specific sub-processor, even where the initial processor vouches for sufficient guarantees.
Controllers are subject to Article 28(1) duties when transfers occur between two sub-processors outside the EEA

Opinion 22/2024 - the headline

The controller cannot delegate away its accountability. Even deep in the chain, it must know who every sub-processor is and it ultimately decides whether each one is used.

Key terms - quick answers

What is “Sub-processor”?

An entity engaged by a processor to carry out specific processing activities on behalf of the controller (e.g. "Recruitment USA Inc." engaged by the agency).

What is “EDPB Opinion 22/2024”?

EDPB opinion clarifying controllers' obligations regarding the use of processors and sub-processors.

← Module 3 · Controller vs processor Module 3 · Vendor management and the Article 28 contract →