Supervision by the controller in the processing of personal data by the processor regarding security measures
Means to ensure the security at the subprocessor
Written consent
The responsible party must agree in writing that his processor may outsource some of the tasks he has undertaken to a subprocessor.
In such cases, the processor is responsible for:
the underprocessor operates in accordance with the instructions of the controller
supervise the subprocessor, in the same way as the controller supervises the processor
Confirmation from the processor to the controller
In most cases, it is enough for the controller to obtain confirmation from the processor that he has carried out the agreed controls.
The controller is nevertheless always responsible for compliance with the data protection legislation.
Opinion of the European Data Protection Supervisor on the obligations of processors and subprocessors
On 9 October 2024, the European Data Protection Supervisory Authority (EDPB) adopted an opinion on the obligations of processors and subprocessors. The opinion concerns, among other things, agreements between controllers and processors and the interpretation of certain obligations of controllers, processors and subprocessors in the processing of personal data.
