Compliance

Sub-Processor

A third party engaged by a data processor to process personal data on behalf of the data controller.

A sub-processor is another data processor engaged by a processor to carry out specific processing activities on behalf of the data controller.

Requirements

  • The processor must obtain prior authorization from the controller before engaging a sub-processor (either specific or general with notification)
  • The same data protection obligations from the DPA must flow down to the sub-processor
  • The processor remains liable if the sub-processor fails to fulfil its obligations

In Practice

Most SaaS companies maintain a public list of sub-processors and provide a mechanism for customers to object to new sub-processors.

GDPR Article 28(2) and (4).

Related Terms

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Data Processing AgreementCompliance

A legally binding contract between a data controller and a data processor that governs how personal data is handled.

Storage LimitationSupervisory Authority