What is a Sub-Processor?

A sub-processor is a third-party entity engaged by a data processor to handle personal data on behalf of a data controller. This relationship is vital in the context of GDPR, as it extends the responsibilities of data protection to any external parties that a processor might involve in processing activities.

The Roles and Responsibilities of a Sub-Processor

Under GDPR, a sub-processor must comply with the same data protection obligations that apply to the original processor. This includes ensuring that data is processed securely and only for the purposes specified by the data controller. The processor, in turn, must obtain prior written consent from the controller before engaging a sub-processor, making transparency and compliance essential.

Sub-Processors and Their Legal Obligations

The use of sub-processors is tightly regulated under GDPR. Before a sub-processor can be engaged, the data processor must inform the data controller and obtain specific authorisation. Additionally, sub-processors must adhere to the terms of the data processing agreement, which binds them to the same level of data protection that the processor has agreed upon with the controller.

Sub-Processor Analogy

We have a child, a parent and a toy. Let’s imagine that the toy is a personal data. The child is the one that plays with the toy, he has access to they toy and may decide where to store it. However, the parent is the real owner of the toy and they decide what the child can do and can't do with the toy.

‍

In data protection the toy is the data, the child is the processor and the parent in the controller. This means the controller establishes the rules for how the processor can use the data, and the processor must adhere to those rules.

Example of a Sub-Processor: Google Drive

Sub-processors are common in various industries where specialised services are required. For example, let’s say you use Google Drive. Google Drive (processor) chooses which servers to store data in, what security measures to put around it but ultimately you decide which data to upload to Google Drive, when to edit it and when to remove it - making you the controller.

Note: A processor doesn’t need to store personal data to be considered one; simply transmitting or accessing the data qualifies. For instance, integration tools like Zapier or Integromat are also considered processors.

How is a Sub-Processor Different From a Processor?

A processor is a party that processes personal data on behalf of the data controller, directly following the controller's instructions. In contrast, a sub-processor is a third party engaged by the processor to perform specific processing tasks on behalf of the controller.

While the processor has a direct relationship with the controller, the sub-processor is brought in by the processor to handle certain aspects of the data processing. Both are bound by GDPR requirements, but their roles and responsibilities differ based on their relationship to the data controller.

Example: Let’s say that Google Drive uses Amazon Web Services to run their servers and Mailchimp to send you an email when someone gives you access to a file. In this scenario Amazon Web Services and Mailchimp are processors to Google Drive.

When we use a processor like Google Drive - we call the processors that they use to give you a service (in this case Amazon Web Services and Mailchimp) sub-processors.

To recap: sub-processors are the processors of your processors.

Why Do You Need to Know Who Your Sub-Processors Are?

If in your company you act as a processor (the majority of SaaS are processors) then you need to have a Data Processing Agreement which is an agreement required by law that lays out your responsibilities and those of the controller.

In this agreement you need to specify who your own processors are, as they will be sub-processors for your customers. You will need to also include: the purpose for which you engage these companies and the countries where the data is being processed.

In our example - in their Data Processing Agreement Google Drive will have:

Key Takeaways & Wrap Up

In this article, we have helped you understand the following information about sub-processors:

• Sub-processors are third parties engaged by processors to handle personal data on behalf of data controllers, extending GDPR responsibilities.
• They must adhere to the same data protection obligations as processors, including obtaining authorisation and following data processing agreements.
• Properly managing sub-processors ensures compliance, transparency, and protection of personal data, reducing organisational risks.

Sub-Processors - FAQs

What is the main role of a sub-processor?

A sub-processor assists the primary processor by handling specific data processing tasks on behalf of the data controller. They must follow the same data protection rules as the primary processor.

Does a sub-processor need to be GDPR compliant?

Yes, sub-processors must comply with GDPR regulations and ensure that personal data is processed securely and in accordance with the contract established between the data controller and the primary processor.

Can a sub-processor be engaged without the data controller’s consent?

No, the data controller must provide prior written consent before a processor can engage a sub-processor.

What happens if a sub-processor fails to comply with GDPR?

If a sub-processor fails to comply with GDPR, the primary processor may be held liable, and the sub-processor may face penalties. It's crucial that both the processor and sub-processor maintain GDPR compliance.

Are sub-processors common in all industries?

Sub-processors are used in many industries, particularly where specialised services are needed, such as in cloud computing, data analytics, and marketing services.