Controllers, processors and subprocessors in chains

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

Ruth Boardman wrote an insightful article for the International Association of Privacy Professionals (IAPP) covering the European Data Protection Board's Opinion 22/2024 which addresses key obligations in controller-processor-sub processor relationships under GDPR. It clarifies requirements for processors to disclose sub-processor details to controllers, controllers' duties to verify GDPR compliance throughout the chain, and contractual language allowing processors to follow controller instructions or applicable laws. 

To delve into the full article click here.

Latest insights

More Insights
Curiosity line pink background

“Reasonable Steps” under Part 4A of the Online Safety Act 2021 (Cth): eSafety Commissioner Guidance and Implications

Sep 18 2025

Read More
Curiosity line yellow background

General Data Protection Guide (GDPR) – Japanese Version Available

1 minute Sep 17 2025

Read More
Curiosity line teal background

Digital Duty of Care: What Phase 2 eSafety Codes Demand from Providers

Sep 16 2025

Read More