According to Article 28(2) of the General Data Protection Regulation (GDPR), a processor is explicitly prohibited from engaging another processor (a sub-processor) without obtaining prior written authorisation from the controller. This authorisation can be either specific to a particular sub-processor or a general written authorisation for the processor to engage sub-processors. In the case of a general authorisation, the processor must inform the controller of any changes, giving the controller the opportunity to object. This requirement ensures the controller maintains ultimate control and awareness over who is processing the personal data for which they are responsible.

B. Adherence to an approved code of conduct is a mechanism to demonstrate compliance but does not override the explicit legal requirement for prior written authorisation from the controller as stated in GDPR Article 28(2).

C. A contract imposing the same obligations is a mandatory requirement under GDPR Article 28(4) after a sub-processor has been authorised, but it is not a substitute for obtaining the controller's prior authorisation.

D. The GDPR does not provide a "low-risk" exemption for the requirement to obtain controller authorisation. The rules outlined in Article 28 apply to all processing activities conducted by a processor, regardless of the perceived risk level.

1. Regulation (EU) 2016/679 (General Data Protection Regulation), Official Journal of the European Union, L 119/1.

Article 28(2): "The processor shall not engage another processor (a sub-processor) without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes." (Supports the correctness of A and the incorrectness of B, C, and D).

Article 28(4): "Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor...shall be imposed on that other processor by way of a contract..." (Explains why C is an additional requirement, not a substitute for authorisation).

2. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, 7 July 2020.

Paragraph 105 (Page 33): "Article 28(2) GDPR requires the processor to seek the controller’s prior specific or general written authorisation before engaging a sub-processor. This is a key element of the controller’s control over the processing of personal data entrusted to the processor." (Directly supports the explanation for answer A).