On 7 October 2024, the European Data Protection Board (EDPB) issued an opinion clarifying certain obligations under the General Data Protection Regulation (GDPR) arising from the use of processors and subprocessors.
This opinion complements the EDPB’s 2020 Guidelines on the concepts of controller and processor, and provides updated guidance for data controllers engaging in complex chains of subprocessing arrangements.
Discover the key takeaways from the EDPB’s opinion below. Although it is a non-binding consultative opinion, it serves as an influential reference for anticipating how supervisory authorities may interpret the GDPR.
🏛️What responsibility in the processing chain?
Since the GDPR’s entry into force, controllers have been subject not only to substantive obligations, but also to the duty to demonstrate compliance (Article 5(2) — the accountability principle).
In subprocessing chains, particularly those involving multiple tiers (e.g., processor → subprocessor → sub-subprocessor), compliance becomes more operationally demanding, but the controller's accountability remains unchanged.
⚠️ The EDPB makes it clear: complexity in the processing chain does not relieve the controller of responsibility.
While the initial processor bears contractual responsibility for its subprocessors, the data controller must independently verify that all processors in the chain provide sufficient guarantees (Article 28(1) GDPR) regarding the implementation of appropriate technical and organisational measures to ensure continuous protection of data subjects’ rights.
Moreover, although processors may play a role in the selection and evaluation of subsequent processors, the final decision and legal liability for engaging them rests solely with the controller.
👉 The data controller must therefore verify and document that each actor in the chain provides sufficient technical and organizational guarantees to protect personal data.
🔍Verifying Subprocessor Guarantees: A Legal Obligation
Identifying the chain of processors: a prerequisite
Per the EDPB, controllers must maintain up-to-date and comprehensive records identifying all processors and subprocessors, including:
Name, address, and contact details of each entity
Timely updates of any changes
Inclusion of this list in contractual arrangements
This transparency is necessary for fulfilling the information requirements under Articles 13 and 14 GDPR and for facilitating the exercise of data subject rights (e.g., access, objection).
Verifying Documentation
The controller must go beyond mere identification and carry out substantive due diligence to verify that processors meet GDPR requirements. This may include:
Verification of adherence to codes of conduct (Art. 40 GDPR)
Assessment of certifications (Art. 42 GDPR)
Review of security and privacy policies, terms of use
Deployment of evaluation questionnaires
Performance of on-site or remote audits
🔔 The EDPB stresses that these verifications are mandatory, regardless of risk level, but must be proportionate to the specific risks involved.
For high-risk processing activities—e.g., involving special categories of data (Art. 9 GDPR)—controllers are expected to:
Conduct enhanced due diligence
Request additional guarantees or documentation
Consult independent or public sources
Establish audit mechanisms and regular compliance checks
Should Controllers Obtain Contracts Between Processors and Subprocessors?
The EDPB offers a context-dependent approach. Controllers are not systematically required to request these downstream contracts.
However, they should do so where:
There are indications of non-compliance or prior data breaches by subprocessors
The controller is otherwise unable to assess the level of guarantees
Upon request, processors are required to make these contracts available. The controller must ensure that contracts:
Comply with Article 28 GDPR, including all mandatory provisions
Address any scenarios in which a processor may act outside of the controller’s instructions, such as legal obligations or binding orders from public authorities
📌 Reviewing contractual clauses is necessary, but not sufficient. Controllers must also factor in practical implementation and evidence of compliance.
🌍What about International Data Transfers in Subprocessing chains?
Where processors or subprocessors transfer personal data outside the EU/EEA, the controller remains responsible for ensuring that appropriate safeguards are in place (Chapter V GDPR).
Controllers must:
Obtain and assess documentation including:
The legal basis for the transfer (e.g., adequacy decision, SCCs)
Transfer impact assessments
Supplementary measures if applicable
The relevant data transfer agreement
Maintain a transfer map to document all international data flows
The existence of data transfers to third countries outside the EU/EEA constitutes a risk factor that may necessitate enhanced levels of verification by the data controller.
For example: the mere existence of an adequacy decision is insufficient. Controllers must verify that the processing falls within its scope and that the decision remains valid and applicable.
🧑🚀Streamline Your Verification Processes with Dastra
The EDPB acknowledges the operational complexity of managing cascading subprocessing chains.
Despite this, the accountability obligation remains fully enforceable, with no exception or derogation based on scale or sector.
How can Dastra help?
With Dastra, data controllers can:
Map all subprocessors and their relationships
Centralize contracts and key documentation
Generate and store compliant contractual frameworks
Launch automated assessments through built-in questionnaires
Monitor lifecycle changes of subprocessors
Track and document international data transfers
🧭 Dastra enables controllers to meet their GDPR obligations effectively, even in highly complex processing ecosystems.
Let Dastra simplify your compliance journey, get started now!