On 7 October 2024, the European Data Protection Board (EDPB) published Opinion 22/2024, shedding new light on the responsibilities of data controllers when working with processors and sub-processors under the General Data Protection Regulation (GDPR).
As the digital supply chain grows more complex-with cross-border transfers, layered outsourcing, and AI-based service providers-this guidance is both timely and far-reaching. By April 2025, all data controllers should have taken active steps to align with these expectations.
Key Takeaways from the EDPB
Comprehensive Identification: Controllers must maintain an updated register of all processors and sub-processors-including names, addresses, and contact details-to ensure effective oversight and facilitate data subject rights.
(i) Verification of Guarantees: Processors and sub-processors may only be engaged if they offer sufficient guarantees of GDPR compliance. This verification is not a one-off event: it must be proportionate to the risk and reviewed at regular intervals.
Contractual Clarity: Data Processing Agreements (DPAs) must state clearly that processors act only on documented instructions, unless legally required otherwise by EU or national law. While quoting the GDPR is not mandatory, the clause must be legally equivalent in effect.
International Data Transfers: Controllers remain accountable for data transfers outside the EEA initiated by their (sub-)processors. This includes conducting transfer impact assessments and applying supplementary measures where needed.
What Should Controllers Be Doing Now?
Opinion 22/2024 is more than guidance-it is becoming an enforcement benchmark. At Allegiance Law, we recommend that all controllers, regardless of sector, take the following steps without delay (i) Audit and document your entire processor chain, (ii) verify guarantees and keep records of due diligence activities, (iii) update DPA templates to align with the EDPB’s position on legal exceptions, (iv) mplement transfer mapping and risk assessments for all international data flows, (v) prepare for enforcement. Data protection authorities are expected to increase scrutiny, especially in high-risk or tech-driven processing environments.
Allegiance Law’s Perspective
The EDPB has made it clear: accountability under the GDPR does not diminish across layers of outsourcing. Controllers remain fully responsible for ensuring that their processors-and their sub-processors-comply with data protection standards.
At Allegiance Law, we are assisting clients in (i) strengthening vendor management frameworks, (ii) updating cross-border data transfer policies, (iii) clarifying DPA language around lawful exceptions, and (iv) managing risk in sub-processing chains, especially for AI-driven services and SaaS models.
As joint liability risks rise and due diligence becomes a recurring obligation, the era of check-the-box compliance is over. Controllers must now demonstrate active governance.
Related posts
Legal Insights
Navigating GDPR Compliance After BDPA’s FATCA Ruling – 29 April 2025
On 24 April 2025, the Belgian Data Protection Authority’s Litigation Chamber issued Decision 79/2025, declaring that the automatic transfer of personal data by the Service Public Fédéral Finances to the United States Internal Revenue Service under the FATCA agreement violates the General Data Protection Regulation. This landmark ruling, following a Brussels Court of Appeal remand, underscores the primacy of data protection law over international agreements and offers critical lessons for businesses handling cross-border data transfers. This legal insight of Allegiance Law breaks down the decision’s implications and provides actionable strategies for ensuring General Data Protection Regulation compliance when concluding contracts.
Learn more