Posted by Linzi Penman and Eilís McDonald on 8 November 2024
Tagged to Financial Services, GDPR, UK

The European Data Protection Board (EDPB) adopted an opinion on 7 October 2024. It gives guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:

  • supply chain mapping;
  • verifying compliance with flow-down obligations.

For many financial institutions, the emphasis on these obligations should not come as a surprise. However, there are some nuanced clarifications in the opinion which could have an impact on general vendor management in the financial services sector. We have summarised the key takeaways. Do reach out if you would like to discuss further. Or, if you are struggling to map these requirements against other emerging laws i.e. DORA or NIS2. We can help you look at the data and cyber contractual commitments in your contracts.

Supply Chain Mapping

Controllers should always be able to identify the processing supply chain. This means knowing all processors, and their subprocessors, for all third-party engagements. And not just their identity. The EDPB's opinion clarifies that controllers should know:

  • the legal entity name, address and information for a contact person for each processor/subprocessor;
  • the data processed by each processor/subprocessor and why; and
  • the delimitation of roles where several subprocessors are engaged by the primary processor.

This may seem excessive. However, the practical benefit of knowing this information stems beyond Article 28 compliance. It is also required to discharge transparency obligations under Articles 13 and 14. And to respond to data subject requests (e.g. of access under Article 15 or erasure under Article 19).

How is this achieved in reality? Vendor engagement can be tedious. While many financial institutions have sophisticated vendor onboarding processes, data protection is often an afterthought. Addressed after commercials are finalised.

So, what should you do as a data controller? Revisit your contracts to ensure your processors are obliged to provide the above information proactively. At a frequency and in the format you require.

Click here to read the full article 

The authors

Linzi Penman
Linzi Penman
Eilís McDonald
Eilís McDonald

Add to home screen

To add this site to your home screen open the browser option menu and tap on Add to home screen.

To add this site to your home screen tap arrow and then plus