On 9 October 2024, the EDPB (European Data Protection Board) adopted an opinion on data processing relationships and the resulting obligations of the parties involved, in particular in the case of sub-contracting. In essence, the EDPB’s findings come down to the fact that the level of protection to be maintained by the controller under the GDPR must not be reduced by (chain) outsourcing. Thus, the controller should always know the identity of the subcontractors in order to be able to monitor compliance with the GDPR. The clients, in turn, are required to ensure that the subcontractors provide sufficient guarantees. This applies in particular to subcontracting to a third country.