Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)

The European Data Protection Board issued an update regarding Opinion 22/2024, providing guidance on certain obligations stemming from reliance on processor(s) and sub-processor(s). The board clarifies the application of Article 28(3)(a) GDPR, emphasizing the importance of documented instructions, information obligations, and legal requirements. The key points are: * The EC International Transfer SCCs specifically address 'Local laws and practices affecting compliance with the Clauses' in Clause 14 and 'Obligations of the data importer in case of access by public authorities' in Clause 15. * BCR-controller recommendations and BCR-processor referentials also set out obligations in case of government access requests, ensuring transparency and compliance with GDPR provisions. * Ad hoc contracts based on Article 46(3)(a) GDPR should contain similar provisions to ensure compliance with Chapter V GDPR. This guidance aims to provide clarity on the obligations stemming from reliance on processor(s) and sub-processor(s), emphasizing the importance of documented instructions, information obligations, and legal requirements in complying with Article 28(3)(a) GDPR.