The European Data Protection Board (EDPB) recently issued Opinion 24/2024, focusing on a critical aspect of data protection compliance: the due diligence that controllers must perform when relying on processors and sub-processors. While data processing agreements are essential, this opinion emphasizes the responsibility of controllers to ensure that all parties involved in processing personal data are held to the highest data protection standards under the General Data Protection Regulation (GDPR).
Key Highlights of the Opinion:
- Clear Definitions and Responsibilities: The EDPB underscores the importance of clearly defining roles within data processing agreements. Controllers must explicitly outline the tasks of processors and, where relevant, sub-processors. This helps set the foundation for effective due diligence by ensuring that each party knows their responsibilities in protecting personal data.
- Sub-Processor Engagement: Controllers must exercise due diligence when processors engage sub-processors. The opinion stresses that controllers need to be informed about the sub-processors and their specific roles before accepting the engagement. This ensures that controllers have sufficient visibility into the data processing chain and can assess risks before approving a sub-processor.
- Due Diligence and Risk Management: A core focus of the opinion is the requirement for controllers to perform thorough due diligence on both processors and sub-processors. Controllers remain ultimately responsible for ensuring GDPR compliance, and this responsibility cannot be outsourced. Due diligence should include risk assessments, evaluating the sub-processors’ compliance with GDPR, and verifying their data protection practices.
- Contractual Safeguards and Compliance: While due diligence is key, robust contractual safeguards must be in place as well. The opinion emphasizes that processors should be contractually obligated to impose the same data protection standards on sub-processors. This ensures consistency and compliance throughout the entire data processing chain.
- Ongoing Monitoring and Auditing: The opinion highlights the need for ongoing monitoring of processors and sub-processors, including the use of audit rights to verify compliance. Controllers must retain the ability to audit their processors and sub-processors to maintain oversight and control over how personal data is handled. This continuous evaluation is an essential part of effective due diligence.
Legal Force of EDPB Opinions:
While Opinion 24/2024 offers valuable guidance, it is important to understand its legal force. The EDPB’s opinions are non-binding, meaning they do not have the force of law. However, they are highly influential in shaping how the General Data Protection Regulation (GDPR) is interpreted and enforced. Here’s why:
- Interpretative Guidance: EDPB opinions provide authoritative guidance on how the GDPR should be interpreted, especially in areas where the law may be ambiguous.
- Advisory Role: Although advisory in nature, these opinions often serve as practical compliance tools for businesses, helping them navigate complex GDPR obligations.
- Influence on National Authorities: National Data Protection Authorities (DPAs) across the EU tend to align their actions with EDPB opinions, meaning that businesses are wise to follow the guidance as if it were mandatory.
- Judicial Consideration: Courts may also refer to EDPB opinions when deciding data protection cases, giving the opinions significant interpretative weight.
Thus, while the opinion does not directly impose legal obligations, it serves as a highly persuasive resource for ensuring GDPR compliance.
Legal Force of EDPB Opinions in the UK:
Since the UK has left the EU, the EDPB’s opinions, including Opinion 24/2024, do not have direct legal force in the UK. However, the UK still follows many of the principles enshrined in the GDPR through its own UK GDPR and Data Protection Act 2018.
- UK GDPR Framework: While no longer bound by the EDPB, the UK Information Commissioner’s Office (ICO) may still refer to EDPB opinions as informative guidance when shaping its own data protection policies. This means that while the opinions are not legally binding in the UK, they could influence how the ICO interprets complex data protection issues in practice.
- Diverging Standards: Over time, as UK data protection law evolves independently, the ICO may develop different approaches from the EDPB. For now, however, EDPB opinions such as this one still offer valuable insight for UK organizations that operate within both the UK and the EU, or that wish to align with EU data protection standards for international business purposes.
Thus, while Opinion 24/2024 does not have formal legal standing in the UK, it remains a relevant and useful reference point, particularly for organizations that interact with the EU.
How This Applies to Clinical Trial Sponsors:
For clinical trial sponsors, the due diligence responsibilities outlined in this opinion are highly relevant. Sponsors, acting as controllers, must ensure that they are fully informed about the processing activities of their processors (e.g., Contract Research Organizations, laboratories) and sub-processors (e.g., external data analytics services, subcontracted labs).
Here’s how it applies:
- Risk Assessments and Compliance Checks: Sponsors must conduct due diligence to ensure that any processor or sub-processor handling sensitive health data complies with GDPR standards. This includes conducting risk assessments to evaluate the processor’s security measures and data protection practices, especially when handling clinical trial data, which often contains special categories of personal data.
- Visibility and Transparency: Sponsors need full visibility into the entire processing chain, including the use of sub-processors by their main processor. The EDPB opinion emphasizes that sponsors should be informed and approve the use of sub-processors. This transparency is essential in ensuring that the sponsor’s accountability is maintained throughout the clinical trial data lifecycle.
- Contractual Safeguards: While due diligence is ongoing, sponsors must also ensure that their processors impose the same data protection obligations on sub-processors. This is critical to maintain consistency and compliance with the GDPR, as well as the trial sponsor’s legal obligations.
- Ongoing Monitoring and Auditing: Sponsors must regularly monitor their processors and sub-processors and exercise their right to audit as needed. This ensures that clinical trial data is continuously protected and that all parties are adhering to agreed-upon data protection standards. Ongoing audits help sponsors maintain control over how personal and sensitive data is processed during trials, minimizing the risk of breaches or non-compliance.
Conclusion:
The EDPB’s Opinion 24/2024 serves as a reminder that controllers must maintain oversight of processors and sub-processors, performing thorough due diligence to ensure compliance with GDPR. While the opinion is not legally binding, it provides essential guidance for aligning practices with GDPR expectations. In the UK, although not legally enforceable, the opinion remains a valuable reference, particularly for businesses operating across both UK and EU data protection frameworks.
Diana is the Founder & Managing Director at RD Privacy and a contributing columnist, specializing in privacy for the pharmaceuticals and life science sectors, particularly small biopharma companies, with extensive experience as a European qualified privacy attorney and Data Protection Officer (DPO).