What is a sub-processor under GDPR

What is a sub-processor under GDPR?

Updated: June 2026

A GDPR sub-processor is a third-party entity that processes personal data on behalf of a data processor, strictly under the processor’s instructions. Unlike data controllers who determine the purposes and means of processing, or data processors who handle data on behalf of controllers, sub-processors operate one step further down the data processing chain.

Managing sub-processor relationships requires careful attention to authorisation, contracts, and ongoing monitoring. This guide covers the legal requirements, liability framework, and practical steps for staying compliant under Article 28.

Key Takeaways

• GDPR sub-processors must be authorised in writing by data controllers before processing personal data, ensuring transparency and control over the data processing chain.

• Processors remain fully liable for the compliance and data protection obligations of their sub-processors when outsourcing processing activities, requiring written contracts, due diligence, and ongoing monitoring of vendor relationships.

• Effective sub-processor management, including clear contractual terms, regular audits, and adherence to GDPR Article 28, is essential for reducing risk and meeting regulatory requirements.

What is a sub-processor under GDPR?

A sub-processor processes personal data on behalf of a data processor under the processor’s specific instructions. Unlike data controllers, who determine the purposes and means of processing, or data processors, who handle personal data on behalf of controllers, sub-processors operate one tier removed from the original data-processing relationship.

Sub-processors can be businesses, SMEs, public authorities, agencies, or other legal entities. Public authorities may act as sub-processors when processing is required by law in the public interest. They support the processor by performing specific tasks under its instruction, without deciding how or why the data is used.

Engaging a sub-processor is a form of outsourcing in which the processor delegates certain operations to another party. Sub-processors carry out processing operations strictly under the processor’s instructions, implementing technical and organisational measures as required.

Common examples of sub-processors include:

Cloud storage providers like AWS, Google Cloud, and Microsoft Azure that store data processing systems

Email marketing platforms such as Mailchimp that send communications on behalf of processors

CRM services like Salesforce that manage customer relationships for business operations

Analytics tools that track website performance and user behaviour

Payment processors that handle transaction data for e-commerce platforms

The key distinction is that sub-processors do not decide why or how data is processed; they act only according to explicit instructions from the processor, which in turn originate from the controller’s lawful basis for processing.

What are the legal requirements for sub-processors under GDPR Article 28?

GDPR Article 28 establishes the legal foundation for sub-processor relationships, with strict controls to prevent unauthorised data processing. These requirements ensure compliance with statutory obligations and protect the rights of data subjects throughout the processing chain.

Written authorisation from the data controller is mandatory before engaging any sub-processor. This requirement applies regardless of the sub-processor’s size, location, or the scope of processing activities they will perform.

Controllers can provide either specific authorisation for individual sub-processors or general authorisation for categories of processing activities. Both approaches must comply with the laws of the member states, including the UK GDPR, and provide sufficient guarantees for data protection.

Processors must not act outside the controller’s instructions unless the law prohibits or requires certain processing activities. In such cases, processors must inform the controller unless significant grounds of public interest or legal obligations prevent disclosure.

Processors must inform controllers in writing of any intended changes to sub-processors and allow a reasonable period for controllers to object. This notification period typically ranges from 30 to 60 days, depending on contract terms and the nature of processing activities.

Controllers have the right to object to new sub-processor appointments within a reasonable timeframe. If a controller objects and no alternative is available, the processor may terminate the relevant service component rather than breach its data protection obligations.

What is the difference between specific and general authorisation?

Specific authorisation requires controller approval for each individual sub-processor appointment. This gives controllers maximum oversight but can be burdensome for processors managing a complex supply chain with multiple vendors.

General authorisation allows processors to engage sub-processors within approved categories, provided they give advance notification. This model works better for processors with dynamic vendor relationships, though it requires clear criteria and reliable notification processes.

Controllers with significant leverage often prefer specific authorisation for greater control. However, general written authorisation has become more common as organisations recognise the operational challenges of case-by-case approvals.

The right choice depends on the risk profile of the processing activities, the sensitivity of the personal data involved, and the operational requirements of both parties.

What must sub-processor contracts include?

Processor-sub-processor contracts must guarantee the same level of personal data protection as that provided in the controller-processor agreement. These obligations must flow down from the controller to the processor and then to the sub-processor, so that the same data protection requirements bind each party in the chain.

Contracts must include specific GDPR compliance clauses covering all data protection obligations applicable to the original processing relationship. This includes confidentiality requirements, security measures, and breach notification procedures that align with the standards established between controllers and processors.

Sub-processors must process data only under the processor’s lawful instructions and within the scope defined in the original controller-processor agreement. Any processing outside these instructions is a breach of both contractual and statutory obligations.

Data subject rights assistance and data deletion procedures must be specified to ensure that individuals can exercise their rights effectively, even when multiple parties are involved in the processing chain.

What clauses must every sub-processor contract include?

The processing scope and permitted purposes must be clearly defined within the GDPR framework so that sub-processors understand exactly which processing activities they may perform and under what circumstances.

Technical and organisational measures equivalent to processor standards must be required, often referencing specific security certifications such as ISO 27001 or SOC 2 to demonstrate compliance with appropriate safeguards.

International transfer provisions must address adequacy decisions or appropriate safeguards when sub-processors are located outside the EU/EEA, ensuring compliance with restrictions on cross-border data transfers.

Audit rights and compliance monitoring procedures must enable ongoing verification of sub-processor performance, including provisions for regular audits and access during investigations.

Termination clauses requiring the return or deletion of data at the end of the contract protect against unauthorised retention of personal data when business relationships conclude.

Who is liable when a sub-processor causes a data breach?

Processors remain fully liable to controllers for the compliance of their sub-processors under GDPR Article 82. If a sub-processor fails to meet data protection requirements, the processor must compensate the controller for any resulting damages.

Controllers can claim compensation from processors for damages caused by sub-processor failures, including regulatory fines, legal costs, and business disruption. The processor then has the right to seek recovery from the sub-processor based on their contractual relationship.

Sub-processors are directly liable under GDPR if they fail to comply with data protection law or act outside lawful instructions. They face both supervisory authority fines and potential civil claims from affected data subjects.

Both processors and sub-processors can be held liable to the controller and data subjects when personal data breaches occur due to inadequate security measures or non-compliance with processing instructions.

The liability framework creates strong incentives for proper sub-processor management. Processors cannot simply pass responsibility down the chain; they must ensure compliance at every level.

What does joint and several liability mean for processors?

When multiple parties contribute to data protection violations, they may face joint and several liability, meaning each party can be held responsible for the full amount of damages rather than just its proportional share.

This ensures data subjects can recover compensation even if one party in the processing chain lacks sufficient resources, while allowing parties to seek contributions from others based on their relative responsibility.

How should processors manage sub-processor risk?

Regular audits and assessments verify sub-processors’ compliance with data protection standards and identify potential vulnerabilities before they lead to personal data breaches. These evaluations should occur at least annually, with more frequent reviews for high-risk processing activities.

Due diligence involves reviewing security certifications such as ISO 27001 and SOC 2 reports, examining incident response procedures, and verifying the sub-processor’s track record for handling similar processing activities. Due diligence should also include screening during the onboarding of new sub-processors to confirm compliance from the start.

Ongoing monitoring through automated compliance tools and periodic reviews is necessary for maintaining oversight of sub-processor performance. Many organisations use vendor management platforms to track certification status, incident reports, and compliance metrics.

Incident response procedures must include notification of sub-processor breaches within 72 hours to ensure that controllers can meet their own regulatory reporting obligations. Clear communication channels and escalation procedures help minimise response times during incidents.

Business continuity planning should account for sub-processor service disruptions, including scenarios where key vendors become unavailable due to technical failures, financial difficulties, or regulatory action.

What are the most common sub-processor compliance risks?

Data breaches resulting from inadequate security measures or unauthorised access pose the most significant risk, potentially exposing sensitive personal data and triggering regulatory investigations.

Non-compliance with GDPR requirements can result in fines that cascade through the processing chain, affecting all parties involved in the data protection violation.

Unauthorised international data transfers violate adequacy requirements and can result in immediate processing suspensions, disrupting business operations and damaging customer relationships.

Service disruptions affect data availability and business operations, potentially preventing organisations from fulfilling their obligations to data subjects and business partners.

Vendor lock-in complicates data portability and contract termination, making it difficult to switch providers when compliance issues arise or business needs change.

What documentation do processors need for sub-processor compliance?

Maintaining an updated register of all authorised sub-processors, accessible to controllers, demonstrates compliance with transparency obligations and enables effective oversight of the processing chain.

Documentation of sub-processor selection criteria and approval processes provides audit trails for regulatory reviews and supports data protection by design and by default.

Privacy notices to data subjects must clearly explain the involvement of sub-processors in data processing, including the types of sub-processors used and how individuals can exercise their rights.

Data Processing Agreements (DPAs) must be properly executed and maintained, with all amendments and updates tracked to ensure current versions accurately reflect actual processing relationships.

Compliance evidence, including sub-processor notifications and controller responses, should be archived systematically to support regulatory investigations and demonstrate good faith efforts to maintain transparency.

What rules apply to international data transfers involving sub-processors?

International data transfers involving sub-processors require adequate protection through European Commission adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards approved under GDPR Chapter V.

Processors must verify that third-country sub-processors can provide adequate protection for EU personal data, taking into account both the legal frameworks and the practical enforcement capabilities in the destination country.

Transfer Impact Assessments (TIAs) are required for high-risk international transfers, particularly to countries without adequacy decisions where government surveillance or other factors might undermine EU data protection standards.

Data localisation requirements in specific sectors, such as healthcare and finance, may require certain data categories to remain within the EU, limiting sub-processor options for affected processing activities.

Regulatory changes in international transfer mechanisms require ongoing monitoring and contract updates to maintain compliance as legal frameworks evolve.

What are the best practices for managing GDPR sub-processors?

Establishing clear sub-processor approval workflows with defined timelines and responsibilities streamlines vendor onboarding while maintaining oversight and control over the processing chain.

Automated notification systems for sub-processor changes ensure controllers receive timely information about modifications to processing arrangements, enabling informed decisions about continued authorisation.

Standardised contract templates ensure consistent GDPR compliance across vendors while reducing negotiation time and legal costs when establishing new sub-processor relationships.

Vendor assessment scorecards that incorporate security, compliance, and performance metrics provide objective criteria for selecting and evaluating sub-processors, including screening during selection.

Emergency contact procedures for security incidents and data breaches facilitate rapid response coordination between processors and sub-processors in time-sensitive situations.

What technology tools help manage sub-processor compliance?

Vendor management platforms track sub-processor contracts and compliance status, providing centralised oversight of the entire vendor ecosystem and automated alerts for important deadlines and requirements.

Data mapping tools visualise data flows through sub-processor networks, helping organisations understand complex processing relationships and identify potential compliance gaps or security vulnerabilities.

Monitoring solutions provide real-time compliance tracking and alerts, enabling proactive management of sub-processor relationships and rapid response to emerging issues.

Contract lifecycle management automates renewal and update notifications, ensuring Data Processing Agreements remain current and reflect actual processing relationships.

Privacy management software centralises GDPR compliance oversight, integrating sub-processor management with broader data protection activities such as handling data subject requests and responding to breaches.

Frequently Asked Questions

Can a processor use a sub-processor without controller approval?

No. GDPR Article 28 requires written authorisation from the controller before engaging any sub-processor. Processing personal data through unauthorised sub-processors is a breach of both contractual and legal requirements.

What happens if a sub-processor causes a data breach?

The processor remains liable to the controller and must notify the controller within 72 hours of becoming aware of the breach. The processor may subsequently claim damages from the sub-processor based on their contractual relationship.

Can sub-processors engage their own sub-sub-processors?

Yes, but they need authorisation in accordance with the same GDPR requirements as the original sub-processor appointment. The processor remains liable for ensuring compliance throughout the entire chain of processing relationships.

Ana Mishova

About the Author

Ana Mishova

Sales and Business Development Consultant — GDPRLocal

Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.