Sub-Processor

A sub-processor is a supplier that your data processor engages to carry out parts of the data processing on your behalf. The GDPR requires your prior approval, and the sub-processor must comply with the same data protection obligations.

Back to Dictionary

What is a sub-processor?

A sub-processor (also called a sub-data processor) is a company that your data processor uses to carry out specific processing tasks. The rules for sub-processors are set out in GDPR Article 28(2)-(4).

A typical example: You use an HR supplier (data processor) for payroll processing. The HR supplier uses a cloud service (sub-processor) to host the data. In this case, the cloud service is a sub-processor in relation to your personal data.

The chain can be long. Large SaaS providers often have many sub-processors, which in turn may have sub-processors of their own. As data controller, you have the responsibility to know who processes your data.

Approval of sub-processors

GDPR Article 28(2) requires that the data processor has your prior written approval before a sub-processor is engaged. The approval can be:

Specific approval: You approve each individual sub-processor by name. The data processor must obtain new approval for changes.
General approval: You approve the use of sub-processors in general. The data processor must inform you of planned changes and give you the opportunity to object.

The general approval model is the most widely used in practice, particularly with large cloud providers. They typically maintain a list of sub-processors and notify changes via email or a subscription page.

Your data processing agreement must specify which approval model is used and ensure you have a genuine opportunity to object.

Liability and obligations

The allocation of liability is clear under the GDPR:

The data processor is fully liable to you for the sub-processor's fulfilment of obligations (Article 28(4)).
You as data controller are still liable to the data subjects for the overall processing.

The data processor must enter into an agreement with the sub-processor imposing the same data protection obligations as those in your data processing agreement. This includes:

Only processing data according to documented instructions
Ensuring confidentiality
Implementing appropriate security measures
Assisting with data subject rights
Deleting or returning data upon termination of the agreement

Sub-processors in practice

To keep track of sub-processors:

Map: Ask all your data processors for an up-to-date list of sub-processors, including location and role.
Assess: Are sub-processors in third countries? Does this require Standard Contractual Clauses?
Monitor: Subscribe to change notifications from your suppliers so you are informed about new sub-processors.
Document: Record sub-processors in your record of processing activities.
React: If a new sub-processor gives cause for concern, exercise your right to object.

Bear in mind that many popular services use a large number of sub-processors. A single SaaS platform may have 30-50 sub-processors spread across multiple countries. A systematic overview is essential.

Frequently Asked Questions about Sub-Processor

What is a sub-processor?

A sub-processor is a supplier that your data processor engages to carry out parts of the data processing on your behalf. The sub-processor must comply with the same data protection obligations as the primary data processor.

Must the data controller approve sub-processors?

Yes. GDPR Article 28(2) requires that the data processor has the data controller's prior written approval before a sub-processor is engaged. The approval can be specific (named) or general (with the right to object to changes).

Who is liable if a sub-processor breaches the GDPR?

The primary data processor is fully liable to the data controller for the sub-processor's fulfilment of obligations. The data controller is still liable to data subjects. In practice, all parties in the chain may be held liable.

Must an agreement be entered into with the sub-processor?

Yes. The data processor must enter into an agreement with the sub-processor imposing the same data protection obligations as those set out in the data processing agreement between the data controller and the data processor.

How do you keep track of sub-processors?

Ask your data processors for a current list of sub-processors. Subscribe to change notifications. Document all sub-processors in your record of processing activities, including their location and role. Regularly review whether new sub-processors require additional measures such as SCCs.