BRUSSELS – Thomas Boué, Director General – Policy EMEA, at BSA | The Software Alliance, issued the following statement in response to opinion 22/2024 from the European Data Protection Board (EDPB), adopted on October 7, 2024, on Article 64(2) of the General Data Protection Regulation (GDPR) on certain obligations following from the reliance on processor(s) and sub-processor(s). 

The EDPB notably concludes that “controllers should have the information on the identity (i.e., name, address, contact person) of all processors, sub-processors etc. readily available at all times (...), regardless of the risk associated with the processing activity. To this end, the processor should proactively provide to the controller all this information and should keep them up to date at all times.” This opinion challenges existing well-established practices and has major implications for businesses, especially those leveraging cloud services, to the detriment of both the controller (business customer) and processor (cloud service provider). 

“BSA is concerned about the EDPB's latest opinion, which disrupts well-established and effective privacy protections that are built upon the relationships between data controllers and processors, and which currently rely on contractual agreements to cover the issue. The EDPB's decision introduces a significant new requirement on data controllers to be aware of all processors in their entire sub-processing chain and on data processors to proactively provide such information to the controllers. 

Imposing such an end-to-end requirement would overburden businesses, especially small and medium-sized enterprises (SMEs), without providing real improvements in the level of data protection. It would also be unrealistic for both cloud service providers acting as processors and their business customers acting as controllers. 

At BSA, we firmly believe that the current approach—where data controllers and processors, as well as processors and sub-processors, maintain their relationships based on monitoring and well-defined contractual agreements—remains the most effective way to ensure data protection. 

Additionally, BSA wishes to express its concern about the limited involvement of stakeholders in the EDPB process on this important issue for our members and the industry as a whole. This would be a significant change that, if appropriate, should be considered, at the very least, through legislative process, with the appropriate stakeholders’ involvement. In light of the ongoing consultations on the Digital Operational Resilience Act's (DORA) subcontracting of ICT services and transparency requirements, we believe that a prior dialogue between financial and privacy regulators would have helped achieve better alignment and consistency.” 

BSA will continue advocating for policies that support innovation, growth, and a competitive marketplace while maintaining healthy data security and transparency standards.