GDPR, sub-processors and authorisations

04 Oct 2017
by
Alasdair Taylor

Article 28(2) GDPR provides that a processor of personal data “shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

This provisions is puzzling in (at least) two respects.

  • First, in the case of a general written authorisation, why are processors not expressly required to inform controllers about the identity of the initial sub-processor, but are required to inform the controller of changes concerning the addition or replacement of the processors?
  • Second, what is an opportunity to object?  Does the processor have any obligation to act in the case of an objection?

I have not been able to find much in the way of (English language) guidance from the regulatory authorities on these issues.

The ICO’s draft guidance on processor contracts says “Under Article 28.3(d) your contract must provide that … if another processor is employed under your prior general written authorisation, your processor should let you know of any changes it has made and give you a chance to object to them”.*  It seems to me that this is much broader than the GDPR requirement, which is limited to changes concerning the addition or replacement of the processors.

Regarding the question of whether processors have an obligation to act in the case of an objection, the approach of larger processors in the new data processing agreements I have seen is to assume that either: (i) there are no legal consequences to an objection; or (ii) the only right of the controller is to terminate the agreement before the new sub-processor is appointed. Where you have a contract between a large controller and a small processor, however, the controller may insist upon a right to block changes to sub-processor appointments.

Hopefully we will see further guidance from the regulatory authorities on these points soon.

*https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-…

Add a new comment

Your email address will not be published. Required fields are marked *

SEQ Legal
Copyright © 2024 Docular Limited | All rights reserved