GDPR, sub-processors and authorisations

Article 28(2) GDPR provides that a processor of personal data "shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."

This provisions is puzzling in (at least) two respects.

  • First, in the case of a general written authorisation, why are processors not expressly required to inform controllers about the identity of the initial sub-processor, but are required to inform the controller of changes concerning the addition or replacement of the processors?
  • Second, what is an opportunity to object?  Does the processor have any obligation to act in the case of an objection?

I have not been able to find much in the way of (English language) guidance from the regulatory authorities on these issues.

The ICO's draft guidance on processor contracts says "Under Article 28.3(d) your contract must provide that ... if another processor is employed under your prior general written authorisation, your processor should let you know of any changes it has made and give you a chance to object to them".*  It seems to me that this is much broader than the GDPR requirement, which is limited to changes concerning the addition or replacement of the processors.

Regarding the question of whether processors have an obligation to act in the case of an objection, the approach of larger processors in the new data processing agreements I have seen is to assume that either: (i) there are no legal consequences to an objection; or (ii) the only right of the controller is to terminate the agreement before the new sub-processor is appointed. Where you have a contract between a large controller and a small processor, however, the controller may insist upon a right to block changes to sub-processor appointments.

Hopefully we will see further guidance from the regulatory authorities on these points soon.

*https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-...

Add new comment

Filtered HTML

Plain text

Contact details

SEQ Legal LLP
Howbery Park, Wallingford
Oxfordshire OX10 8BA, UK
Tel: +44(0)1491 821123

English law

Unless otherwise stated, the information and resources on this website relate to English law.

Web cookies

By using our website, you agree to our use of web cookies. See our privacy policy for details.

Our ecommerce websites

docular.net

www.website-contracts.co.uk

www.contractology.com

Copyright © 2007-2017 SEQ Legal LLP.