EDPB Opinion on Sub-Processors
Opinion 22/2024 on Certain Obligations Following from the Reliance on Processor(s) and Sub-Processor(s)
This opinion outlines obligations under GDPR Article 28 when using processors and sub-processors. It covers contractual requirements, data protection safeguards, and documentation for accountability. The opinion also addresses the specific responsibilities regarding sub-processing agreements, data transfers, and incident management. It clarifies the roles and liability of controllers and processors.
Metadata
Author: European Data Protection Board
Status: Adopted / Published
Adoption date: 2024-10-08
Last updated: 08 Aug 2025
Category: Guidance
Subcategory: Official guidance