Sub-processor refused to provide data to the controller Summary The Danish Data Protection Agency’s A company, as a data controller, had engaged another decision company as a data processor. The data processor (A) The Danish DPA seriously criticized the sub-processor’s later entered into a data processing agreement with its processing of personal data, which had not been IT supplier (Data processor (B)), which then became a carried out in accordance with the rules in GDPR, sub-processor for the original data controller. Articles 6 (lawful processing) and 9 (processing of The sub-processor had refused to meet the data special categories of personal data) and Section 11 controller’s demand for the return of customer of the Danish Data Protection Act, cf. GDPR, Article 28 data with reference to the agreement in question, (requirements for data processors). including by challenging the data controller’s power of The Danish DPA issued an order to the data processor instruction. to disclose the data controller’s customer data. In addition, the data processor was prohibited from This picture explains the relationship between the processing the data controller’s customer data after parties: disclosure, unless this was done on the instructions of the data controller. Our remarks • A controller’s responsibility to test updates that, for example, reset or change previously selected settings does not cease, even if the controller is unaware of these features of the update. This applies regardless of whether the lack of knowledge is because the software vendor has not adequately communicated this. • Controllers should therefore seek knowledge about the consequences of updates themselves, even if the software supplier may have provided adequate information. Published: 07-02-2022 Journal number: 2022-431-0167 Tags: 04 Data processing agreements 116 and supervision of data processors and sub-processors