Article 28(2) allows controllers to provide a general authorisation to processors to engage another processor to conduct the processing providing that processors inform the controller. What would be a reasonable notice time?
Would it make sense to have a tapered schema based on the volume and sensitivity of the data processed, and the magnitude of the changes to the sub-processors?
Dave_Wylie
The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA’s / LIA’s etc as part of that exercise so they can amend their own records and make the decision if they are happy with the risk change.
I have seen time periods in Controller to Processor agreements that vary from a minimum of 30 days to 90 day for changes in processing supply chain scope within the DSA (Data Sharing Agreements)
It also depends how much the Processor (Controller in their own right) has their own house in order with respect to Vendor due diligence and notification to parties that they process on behalf of .. but as you mention they should be taking a risk based approach to the activities of the new processor … more lead time for more risk and sensitive personal data sets .. that are in scope.
Hope that helps.
Dean
I agree with Dave here. The determination is linked with the amount of time that is needed to assess the sub-processor. Likewise, anything from 30 days upwards.
I’ve usually built into the clause a way to back out of the processing relationship if the Controller really does have an issue with the suggested sub-processor.