On October 9, 2024, the European Data Protection Board (“EDPB”) adopted at its latest plenary meeting, among other things, an Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s) (the “Opinion”), and Guidelines 1/2024 on the processing of personal data based on legitimate interest (the “Guidelines”) for public consultation.
The Opinion follows a request to the EDPB from the Danish Data Protection Authority under Article 64(2) of the EU General Data Protection Regulation (the “GDPR”), which permits an authority to request an opinion from the EDPB on matters of general application or producing effects in more than one EU Member State. The Opinion concerns situations where controllers rely on one or more processors and sub-processors. In particular, it addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Article 28 of the GDPR. The EDPB opines and concludes on several points, including:
- A controller should have the information on the identity (i.e., name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfill their obligations under Article 28 of the GDPR, regardless of the risk associated with the processing activity.
- While the initial processor should ensure that it proposes sub-processors providing sufficient guarantees, the ultimate decision on whether to engage a specific sub-processor and the pertaining responsibility, including with respect to verifying the guarantees, remains with the controller.
- Where transfers of personal data outside of the European Economic Area (“EEA”) take place between two sub-processors, in accordance with the controller’s instructions, the controller is still subject to the duties stemming from Article 28(1) of the GDPR regarding sufficient guarantees.
The Guidelines analyze the criteria a controller must meet to be able to rely on legitimate interests (Article 6(1)(f) of the GDPR) as a lawful basis for processing personal data. According to the EDPB, legitimate interests should “neither be treated as a “last resort” for rare or unexpected situations where other legal bases are deemed not to apply nor should it be automatically chosen or its use unduly extended on the basis of a perception that Article 6(1)(f) of the GDPR is less constraining than other legal bases.” The Guidelines analyze the following three conditions which must all be present to rely on legitimate interests:
- the pursuit of a legitimate interest by the controller or a third party;
- the necessity to process personal data for the purposes of pursuing the legitimate interest; and
- the interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interests of the controller or of a third party.
The Guidelines also contain details regarding the relationship between legitimate interests and data subject rights, and relying on legitimate interests for certain activities, such as fraud prevention. The Guidelines will be open for consultation until November 20, 2024.