Last month brought some big updates in the privacy world!
Fines to Meta is becoming regular news. Even South Korea joins in, fining Meta $15 million for Facebook’s unauthorised data collection.
On the global front, the EU-U.S. Data Privacy Framework passed its first annual review— that’s good news for international data transfers!
The European Data Protection Board (EDPB) released three major GDPR documents / guidelines, including 1) updates on legitimate interests, 2) the ePrivacy Directive (covering cookies and tracking), and 3) a new opinion on managing controller-processor-subprocessor relationships.
In this newsletter, we’ll break down the no. 3 - EDPB’s opinion on handling vendor chains.
Was this email forwarded to you? Subscribe and get these privacy updates straight to your inbox.
When companies use vendors, tools, and systems to operate their business, they act as data controllers, while the vendors they engage become data processors. When these processors rely on additional tools to deliver their services, these additional providers are considered "sub-processors."
For example: Imagine Company A uses a CRM system like HubSpot to manage marketing contacts (such as names and emails). Here, Company A is the controller, and HubSpot is the processor. To provide its services, HubSpot might use a vendor like Twilio for its calling features. In this scenario, Twilio acts as a sub-processor. If Twilio, in turn, uses other vendors, they would be sub-processors as well.
According to new EDPB guidelines, controllers must have complete visibility over every sub-processor throughout the entire data chain. This means that processors are required to provide comprehensive details about each sub-processor they use, including their names, locations, roles, and specific data processing activities.
Controllers are responsible for verifying GDPR compliance not only for their primary processors but also for each sub-processor—regardless of risk level.
This could mean tracking and verifying compliance for dozens, or even hundreds, of sub-processors!
Most standard data processing agreements from suppliers say that processors can only handle data based on the controller's "instructions". However, they often add a clause allowing processors to handle data if required by law. Denmark's data protection authority, Datatilsynet, asked the EDPB if this kind of wording violates GDPR. The EDPB clarified that this doesn’t automatically breach GDPR - good news! However, they did note that instructions must be clear and specific about how personal data is processed. The phrase "unless required by law to do so" is not precise enough in the EDPB's view.
The EDPB stresses that controllers must monitor all onward data transfers, even those not directly initiated by them. Specifically, they should be aware of where their data ends up and ensure that the legal framework for onward transfers aligns with GDPR requirements.
The EDPB has advised that controllers should have access to full details on each subprocessor down the chain for compliance with GDPR rights, including data subject requests like access and erasure. While controllers need to prepare to respond to these requests, processors play a crucial role in providing information.
The EDPB’s opinion emphasises that controllers carry ultimate responsibility, but processors play a crucial role in enabling GDPR compliance. With due diligence, transparency, and clear processes, staying compliant with GDPR in your vendor relationships can be manageable - and it builds trust along the way.
So we recommend being open and upfront about your data flows and privacy compliance! When done right, this isn’t just a compliance burden -it’s also a business asset and sets you apart from the competition!
.png)