Skip navigation

Notes on upcoming EDPB Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s)

SCOPE EuropeNews

The European Data Protection Board (EDPB) has recently published in its agenda for the plenary meeting of October 7th the following item pending adoption: "Article 64(2) GDPR opinion on certain obligations following from the reliance on processor(s) and sub-processor”. Although the precise impact of the opinion is not yet clear, given the relevance of the topic for day-to-day operations of cloud providers and users, a high level of anticipation is both expected and understandable.

Given the very nature of the GDPR, the continuous development and update of guidance by the competent authorities is a vital exercise to harmonize legal interpretation and, ultimately, guarantee the robust protection of data subjects across the EU.  Among existing guiding tools, EDPB Opinions (pursuant Article 64 GDPR), although not binding, are key indicators for organizations and businesses implementing the regulation – after all, they put forward legal interpretations agreed upon by the collective of European Data Protection Authorities (DPAs). 


Considering the relevance of Opinions with fundamental impact such as this, collecting input from different stakeholders – in the form of  public consultations, for example – becomes crucial. Even knowing that open calls for feedback are not formally required nor represent the standard approach in the case of Opinions, having broad public input is a key step to ensure suitability and prevent further fragmentation. The GDPR regulates each and every industry in our economy, which makes it virtually impossible for authorities to fully grasp the particularities, challenges, and needs of each one of them. Against this background, collecting experts’ input can significantly support the adoption of effective and proportionate approaches.


Within the pool of stakeholders that can contribute to the establishment of such Opinions are those directly involved in the day-to-day implementation of compliance instruments, such as GDPR codes of conduct and certification owners, as well as monitoring and certification bodies (pursuant Articles 40, 41, 42, and 43 GDPR, respectively).


SCOPE Europe acts as the accredited monitoring body of two codes of conduct under the GDPR, namely, the EU Cloud CoC and the Data Pro Code. While the first is a European-wide instrument, the second is a national code established in the Netherlands. In our role as a monitoring body, SCOPE Europe shall closely follow the developments in terms of guidance from competent authorities in order to ensure the effectiveness and coherence of our overseeing activities. 


Since the approach to be taken when it comes to sub processing chains has already been formally subject to the assessment of the EDPB in the context of the approval of two transnational codes of conduct for the cloud industry, it is essential to ensure consistency on this matter. In this spirit, SCOPE Europe believes the input of monitoring and certification bodies – and any other relevant entities responsible for the implementation of GDPR – would meaningfully contribute to the development of such Opinions, avoiding further fragmentation while fomenting clarity and foreseeability.


In this spirit, SCOPE Europe looks forward to continually support this and other relevant discussions regarding GDPR, in order to optimize its daily implementation and foster the harmonization of best practices. As a component of the co-regulation ecosystem, which can be particularly effective in the context of regulating digital markets, we firmly believe in the importance of this ongoing dialogue to enable broad accessibility to modern technologies and the ultimate materialization of the EU digital transition.  

 

 

20241007_Notes_on_EDPB_Opinion.png