CIPP/E Updates 2025 - EDPB Opinion on Chains of Controllers, Processors and Sub-Processors

As part of our 2025 CIPP/E curriculum update series, this article dives into the latest guidance from the European Data Protection Board (EDPB). Opinion 22/2024, published in May 2024, clarifies the legal and operational responsibilities within chains of controllers and processors under GDPR. This update is particularly crucial for exam candidates, compliance professionals, and legal teams managing data processing agreements.

Why This Opinion Matters for CIPP/E Candidates

The EDPB's Opinion 22/2024 clarifies roles when multiple entities are involved in sequential data processing. Whether an organization is outsourcing IT services, engaging cloud providers, or relying on analytics platforms, understanding who is responsible, and for what, is essential.

These clarifications are now essential study material for the 2025 Certified Information Privacy Professional/Europe (CIPP/E) exam. They affect how compliance is managed across entire processing chains, from initial data collection to its final use or deletion.

Controllers Are the Final Decision-Makers

Controllers initiate the processing of personal data and remain the key figures in ensuring lawful, fair, and transparent data use. The EDPB emphasized that even in complex chains, controllers cannot delegate away their core obligations.

Core Obligations of Controllers

Controllers must determine the "why" and "how" of data processing. These essential decisions include the purposes of processing and the critical means to achieve those purposes. Even when they engage processors, controllers are not released from liability.

Controllers are also required to verify GDPR compliance across all actors they engage. This includes initial processors and any further sub-processors down the line. They must take appropriate steps to ensure that each link in the chain adheres to the same high data protection standards.

Transparency and Documentation

Transparency obligations extend beyond policies and notices. Controllers must keep updated records of all sub-processors involved in any processing chain. This means identifying not just direct contractors, but also any third parties to whom data might be handed off.

Due diligence should be part of every new processor engagement, especially when international transfers or high-risk processing is involved. Controllers are expected to conduct audits or request reports verifying compliance. Contracts must explicitly define roles, responsibilities, and escalation procedures in the event of non-compliance.

Processors Must Be Proactive

While processors follow the controller’s lead, they are not passive participants. Opinion 22/2024 reinforces that processors bear legal obligations in their own right, particularly when selecting and managing sub-processors.

Inform, Cooperate, and Remain Liable

Processors must notify controllers before engaging any sub-processor. The controller must have the chance to object, especially when the new actor operates in a different legal jurisdiction.

The processor remains responsible for its sub-processors. This means that if a sub-processor mishandles personal data, liability still flows back to the processor; not the controller. As such, contracts must ensure that processors only act on documented instructions and follow strict rules for subcontracting, data transfers, and incident response.

Practical Guidance for Contracting and Oversight

Contracts are the cornerstone of GDPR-compliant processing relationships. The EDPB recommends specific elements to ensure proper oversight and documentation throughout the chain.

Contracts should require processors to maintain a list of all sub-processors or provide advance notice before onboarding new ones. Controllers should use this information to perform risk assessments and object if needed.

Agreements should also establish expectations for audits, data protection impact assessment (DPIA) support, and cooperation in the event of a breach. Many organizations now adopt controller–processor checklists to ensure every legal requirement is addressed and periodically reviewed.

Cross-Border Implications

International processing complicates controller–processor relationships, particularly under Chapter V of the GDPR. Even when a processor engages an offshore sub-processor, it’s the controller’s duty to ensure adequate safeguards are in place.

This means verifying that the destination country offers appropriate protection, or that additional measures, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), are applied. Controllers must also document the legal basis for each transfer and periodically reassess risk.

How We Updated the CIPP/E Course

Opinion 22/2024 is now fully integrated into the updated 2025 CIPP/E eLearning modules. This content ensures that students are equipped with practical knowledge for managing complex controller–processor chains.

We’ve added interactive contract drafting examples, case studies involving multinational vendors, and realistic quiz questions that reflect the EDPB’s latest interpretation of Article 28. Learners can explore how liability shifts between parties and test their understanding of compliant subcontracting practices.

Whether you're preparing for the exam or reviewing compliance strategies, this course module ensures you're working from the most current guidance available.

Prepare for the 2025 CIPP/E Exam

Are you preparing for the 2025 CIPP/E exam? Make sure your study material reflects the most recent legal interpretations. Start now with the fully updated CIPP/E Prep Suite, featuring new content based on EDPB Opinion 22/2024 and detailed guidance on controller–processor chains under GDPR.