What is a sub-processor under GDPR?

GDPR sub-processor refers to a third-party entity that processes personal data on behalf of a data processor, strictly under the processor’s instructions. Unlike data controllers who determine the purposes and means of processing personal data, or data processors who handle data on behalf of controllers, sub-processors operate one step further down the data processing chain.

With a clear understanding of GDPR sub-processors and their legal and contractual obligations, managing these relationships demands careful attention and expertise. In this blog, we have highlighted practical insights, examples, and best practices to ensure compliance and lower risks in sub-processor management.

Key Takeaways

• GDPR sub-processors must be authorised in writing by data controllers before processing personal data, ensuring transparency and control over the data processing chain.

• Processors remain fully liable for the compliance and data protection obligations of their sub-processors or vendors when outsourcing processing activities, requiring robust contracts, due diligence, and ongoing monitoring of vendor relationships.

• Effective sub-processor management, including clear contractual terms, regular audits, and adherence to GDPR Article 28, is crucial for lowering risks and ensuring regulatory compliance.

What is a sub-processor?

A sub-processor processes personal data on behalf of a data processor under the processor’s specific instructions. Unlike data controllers who determine the purposes and means of processing, or data processors who handle personal data on behalf of controllers, sub-processors operate one tier removed from the original data processing relationship.

Sub-processors can be businesses, SMEs, public authorities, agencies, or other legal entities. For example, public authorities may act as sub-processors when processing is required by law in the public interest. They support the processor by performing specific tasks under its instruction, without deciding how or why the data is used.

Sub-processors assist processors by supporting and facilitating data processing activities to help ensure GDPR compliance. Engaging a sub-processor is a form of outsourcing specific data processing tasks, where the processor delegates certain operations to another party. They carry out processing operations strictly under the processor’s instructions, implementing technical and organisational measures as required.

Common examples of sub-processors include:

• Cloud storage providers like AWS, Google Cloud, and Microsoft Azure that store data processing systems

• Email marketing platforms such as Mailchimp that send communications on behalf of processors

• CRM services like Salesforce that manage customer relationships for business operations

• Analytics tools that track website performance and user behaviour

• Payment processors that handle transaction data for e-commerce platforms

The key distinction is that sub-processors do not decide why or how data is processed; they only act according to explicit instructions from the processor, which themselves originate from the controller’s lawful basis for processing.

Legal Requirements Under GDPR Article 28

GDPR Article 28 establishes the legal foundation for sub-processor relationships, with strict controls in place to prevent unauthorised data processing. These requirements ensure compliance with statutory obligations and protect the rights of data subjects throughout the processing chain.

Written authorisation from the data controller is mandatory before engaging any sub-processor, and this is a legal requirement for processors under GDPR. This requirement applies regardless of the sub-processor’s size, location, or the scope of processing activities they will perform.

Controllers can provide either specific authorisation for individual sub-processors or general authorisation for categories of processing activities. Both approaches must comply with the laws of the member states, including the UK GDPR, and provide sufficient guarantees for data protection.

Processors must not act outside the instructions of the controller unless the law prohibits or requires certain processing activities. In such cases, processors must inform the controller unless there are significant grounds of public interest or legal obligations that prevent disclosure.

Processors must inform controllers in writing of any intended changes to sub-processors, providing a reasonable amount of time for controllers to object to such changes. This notification period typically ranges from 30 to 60 days, depending on the contract terms and the nature of the processing activities.

Controllers have the right to object to new sub-processor appointments within a reasonable timeframe. If a controller objects and no alternative is available, the processor may terminate the relevant service component rather than breach their data protection obligations. Each sub-processor must comply with GDPR and contractual obligations to ensure ongoing compliance throughout the processing chain.

Specific vs General Authorisation

Specific authorisation requires controller approval for each sub-processor appointment. This approach provides controllers with maximum oversight but can be burdensome for processors managing a complex supply chain with multiple vendors and subcontractors. Processors must also respond in writing to any objections or directives from controllers regarding sub-processor appointments, ensuring compliance with data protection regulations.

General authorisation allows processors to engage sub-processors within approved categories, provided they give advance notification. This model is more practical for processors with dynamic vendor relationships, though it requires clear criteria and robust notification processes.

Controllers with significant leverage often prefer specific authorisation for greater control over their data processing chain. However, general written authorisation has become more common as organisations recognise the operational challenges of case-by-case approvals.

The choice between specific and general authorisation should reflect the risk profile of processing activities, the sensitivity of personal data involved, and the operational requirements of both parties.

Contractual Obligations for Sub-processors

Processor-sub-processor contracts must guarantee equivalent protection of personal data to that provided in the controller-processor agreement. These binding contract arrangements ensure compliance throughout the entire data processing chain and establish clear responsibilities for handling personal data. These obligations must also ‘flow down’ from the controller to the processor and then to the sub-processor, ensuring that the exact data protection requirements bind each party in the chain. The contract should also specify the role of the data protection officer in overseeing and ensuring compliance with data protection obligations.

Contracts must include specific GDPR compliance clauses that cover all data protection obligations applicable to the original processing relationship. This document outlines confidentiality requirements, security measures, and breach notification procedures that align with the standards established between controllers and processors. When a new sub is appointed, the contract must require transparency, written consent from the controller, and appropriate data protection agreements to ensure ongoing compliance.

Sub-processors must process data only under the processor’s lawful instructions and within the scope defined in the original controller-processor agreement. The processor acts strictly on the controller’s instructions and does not make independent decisions regarding the data. Any processing outside these instructions constitutes a breach of both contractual and statutory obligations.

Data subject rights assistance and data deletion procedures must be specified to ensure that individuals can exercise their rights effectively, even when multiple parties are involved in the data processing chain. The processor assists the controller in fulfilling these obligations under GDPR, supporting the controller in responding to data subject requests and ensuring compliance.

Essential Contract Clauses

The processing scope and permitted purposes must be clearly defined within the GDPR boundaries, ensuring that sub-processors understand exactly what processing activities they can perform and under what circumstances.

Technical and organisational measures equivalent to processor standards must be implemented, often referencing specific security certifications, such as ISO 27001 or SOC 2, to demonstrate compliance with appropriate safeguards.

International transfers provisions must address adequacy decisions or appropriate safeguards when sub-processors are located outside the EU/EEA, ensuring compliance with restrictions on international data transfers.

Audit rights and compliance monitoring procedures enable ongoing verification of sub-processor performance, including provisions for regular audits and immediate access during investigations.

Termination clauses requiring the return or deletion of data upon contract end protect against unauthorised retention of personal data and ensure a clean separation when business relationships conclude.

Liability and Responsibility Framework

Processors remain fully liable to controllers for the compliance of their sub-processors under GDPR Article 82. This means if a sub-processor fails to meet data protection requirements, the processor must compensate the controller for any resulting damages, highlighting the importance of complying with all GDPR obligations throughout the processing chain.

Controllers can claim compensation from processors for damages caused by sub-processor failures, including regulatory fines, legal costs, and business disruption. The processor then has the right to seek recourse and recovery from the sub-processor based on their contractual relationship.

Sub-processors are directly liable under GDPR if they fail to comply with data protection laws or act outside lawful instructions. They face both supervisory authority fines and potential civil claims for damages from affected data subjects.

Both processors and sub-processors can be held liable to the controller and data subjects when personal data breaches occur due to inadequate security measures or non-compliance with processing instructions.

The liability framework creates strong incentives for proper sub-processor management, as processors cannot simply pass responsibility down the chain; they must ensure compliance at every level of the supply chain.

Joint and Several Liability

When multiple parties contribute to data protection violations, they may face joint and several liability, meaning each party can be held responsible for the full amount of damages rather than just their proportional share. This ensures that data subjects have the right to seek redress and recover compensation for violations.

This approach ensures data subjects can recover compensation even if one party in the processing chain lacks sufficient resources, while allowing parties to seek contributions from others based on their relative responsibility.

Risk Management and Due Diligence

Regular audits and assessments verify sub-processor compliance with data protection standards and identify potential vulnerabilities before they result in personal data breaches. These evaluations should occur at least annually, with more frequent reviews for high-risk processing activities.

Due diligence involves reviewing security certifications, such as ISO 27001 and SOC 2 reports, examining incident response procedures, and verifying the sub-processor’s track record for handling similar processing activities safely and securely. Due diligence should also include screening during the onboarding of new sub-processors to ensure compliance from the outset.

Ongoing monitoring through automated compliance tools and periodic reviews is essential for maintaining oversight of sub-processor performance. Many organisations use vendor management platforms to track certification status, incident reports, and compliance metrics in real-time.

Incident response procedures must include notification of sub-processor breaches within 72 hours to ensure that controllers can meet their regulatory reporting obligations. Clear communication channels and escalation procedures help minimise response times during critical incidents.

Business continuity planning should account for sub-processor service disruptions, including scenarios where key vendors become unavailable due to technical failures, financial difficulties, or regulatory action.

Common Sub-processor Risks

Data breaches resulting from inadequate security measures or unauthorised access represent the most significant risk category, potentially exposing sensitive personal data and triggering regulatory investigations. To identify and mitigate these risks, it is essential to conduct a thorough risk assessment.

Non-compliance with GDPR requirements can result in fines and penalties imposed by supervisory authorities, which can cascade through the processing chain, affecting all parties involved in the data protection violation.

Unauthorised international data transfers violate adequacy requirements and can result in immediate processing suspensions, disrupting business operations and damaging customer relationships.

Service disruptions affect data availability and business operations, potentially preventing organisations from fulfilling their obligations to data subjects and business partners.

Vendor lock-in situations complicate data portability and contract termination, making it difficult to switch providers when compliance issues arise or business needs change.

Transparency and Documentation Requirements

Maintaining an updated register of all authorised sub-processors accessible to controllers demonstrates compliance with transparency obligations and enables effective oversight of the processing chain.

Documentation of sub-processor selection criteria and approval processes provides audit trails for regulatory reviews and helps demonstrate the organisation’s commitment to data protection by design and by default.

Privacy notices to data subjects must clearly explain the involvement of sub-processors in data processing, including the types of sub-processors used and how individuals can exercise their rights throughout the processing chain.

Data Processing Agreements (DPAs) must be properly executed and maintained, with all amendments and updates tracked to ensure that current versions accurately reflect the actual processing relationships.

Compliance evidence, including sub-processor notifications and controller responses, should be archived systematically to support regulatory investigations and demonstrate good faith efforts to maintain transparency.

International Data Transfers and Sub-processors

International data transfers involving sub-processors require adequate protection through European Commission adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards approved under GDPR Chapter V.

Processors must verify that third-country sub-processors can provide adequate protection for EU personal data, taking into account both the legal frameworks and the practical enforcement capabilities in the destination country.

Transfer Impact Assessments (TIAs) are required for high-risk international transfers, particularly to countries without adequacy decisions where government surveillance or other factors might undermine EU data protection standards.

Data localisation requirements in specific industries, such as healthcare and finance, may mandate that specific data categories remain within EU borders, thereby limiting sub-processor options for affected processing activities.

Regulatory changes in international transfer mechanisms require ongoing monitoring and contract updates to maintain compliance as legal frameworks evolve.

Best Practices for Sub-processor Management

Establishing clear sub-processor approval workflows with defined timelines and responsibilities streamlines vendor onboarding while maintaining appropriate oversight and control over the processing chain.

Automated notification systems for sub-processor changes and updates ensure controllers receive timely information about modifications to processing arrangements, enabling them to make informed decisions about continued authorisation.

Standardised contract templates ensure consistent GDPR compliance across vendors while reducing negotiation time and legal costs associated with establishing new sub-processor relationships.

Vendor assessment scorecards that incorporate security, compliance, and performance metrics provide objective criteria for selecting and evaluating sub-processors. These scorecards should include the screening of sub-processors as a critical part of the selection process.

Emergency contact procedures for security incidents and data breaches facilitate rapid response coordination between processors and sub-processors in time-sensitive situations.

Technology Solutions for Compliance

Vendor management platforms track sub-processor contracts and compliance status, providing centralised oversight of the entire vendor ecosystem and automated alerts for important deadlines and requirements.

Data mapping tools visualise data flows through sub-processor networks, helping organisations understand complex processing relationships and identify potential compliance gaps or security vulnerabilities.

Monitoring solutions provide real-time compliance tracking and alert generation, enabling proactive management of sub-processor relationships and rapid response to emerging issues.

Contract lifecycle management automates renewal and update notifications, ensuring Data Processing Agreements remain current and reflect actual processing relationships.

Privacy management software centralises GDPR compliance oversight, integrating sub-processor management with broader data protection activities, such as handling data subject requests and responding to breaches.

Conclusion

GDPR sub-processor management is a critical component of data protection compliance that requires ongoing attention and a systematic approach. Processors must maintain strict oversight of their sub-processor relationships while ensuring controllers have the transparency and control they need to fulfil their own data protection obligations.

The legal requirements under Article 28 are clear: written authorisation, equivalent protection standards, and full processor liability for the performance of sub-processors. However, implementing these requirements effectively requires robust processes, appropriate technology solutions, and continuous monitoring to adapt to changing business needs and regulatory expectations.

Organisations that invest in proper sub-processor management not only ensure compliance with data protection laws but also build trust with customers and business partners who entrust them with sensitive personal data.

Ready to strengthen your GDPR sub-processor compliance program? Our data protection experts can help you develop comprehensive policies, implement monitoring systems, and ensure your organisation meets all regulatory requirements while maintaining operational efficiency.

FAQ

Can a processor use a sub-processor without controller approval? No, GDPR Article 28 requires written authorisation from the controller before engaging any sub-processor. Processing personal data through unauthorised sub-processors constitutes a breach of both contractual and legal requirements.

What happens if a sub-processor causes a data breach? The processor remains liable to the controller and must notify within 72 hours of becoming aware of the breach. The processor may subsequently claim damages from the sub-processor based on their contractual relationship.

Can sub-processors engage their own sub-sub-processors? Yes, but they need authorisation following the same GDPR requirements as the original sub-processor appointment. The processor remains liable for ensuring compliance throughout the entire chain of processing relationships.