What are the obligations of a processor that engages a sub-processor?

What are the obligations of a processor that engages a sub-processor?

A. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.

B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.

C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

View Answer

Answer: D

Explanation:

According to Article 28(2) and (4) of the GDPR:

A processor cannot engage a sub-processor without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, giving the controller the opportunity to object to such changes.

The same data protection obligations as set out in the contract or other legal act between the controller and the processor as per Article 28(3) shall be imposed on that sub-processor by way of a contract or other legal act under Union or Member State law. In essence, this means that the obligations the processor has towards the controller must also be imposed on the sub-processor.

A. While prior notice is required as per the GDPR, there’s no explicit mention of a preliminary audit.

B. The GDPR doesn’t mandate annual reports on the sub-processor ’ s performance.

C. While the GDPR does address liability, it doesn’t strictly require full liability to be passed on from the sub-processor to the controller. It mainly emphasizes that the primary processor remains fully liable to the controller for the performance of the sub-processor’s obligations.

So, among the given options, D is the most accurate description of the obligations under the GDPR when a processor engages a sub-processor.