Can the data controller give a sub-processor direct instructions on how to process data?

ANSWER

Article 28 GDPR paragraph 4 provides that where a processor engages another processor to carry out specific processing activities on behalf of the controller, that other processor is imposed — by contract (...) — the same data protection obligations as in the contract or other legal act between the controller and the processor referred to in paragraph 3 (...).

Article 28(3)(a) GDPR provides that the processor processes data only on documented instructions from the controller. Article 28(3)(h) GDPR provides that the processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Since the instructions on the basis of which the processor processes data belonging to the controller must be documented, it is recommended that the procedure and template for issuing further instructions constitute an annex to the data processing agreement (or other legal instrument). Such an instruction may be issued in any written form (e.g. by email), while it is recommended to record such instructions for accountability purposes.

There is therefore a possibility for the data controller also (apart from the processor) to issue instructions to the sub-processor, since it remains the entity responsible for the personal data processed. It would also be good practice when issuing instructions to the sub-processor, e.g. by email, to copy the processor. This will allow consistency in data processing between the entities to be maintained.