.png)
Alex Franch
A sub-processor is a third-party entity engaged by a data processor to handle personal data on behalf of a data controller. This relationship is vital in the context of GDPR, as it extends the responsibilities of data protection to any external parties that a processor might involve in processing activities.
The Roles and Responsibilities of a Sub-Processor
Under GDPR, a sub-processor must comply with the same data protection obligations that apply to the original processor. This includes ensuring that data is processed securely and only for the purposes specified by the data controller. The processor, in turn, must obtain prior written consent from the controller before engaging a sub-processor, making transparency and compliance essential.
Sub-Processors and Their Legal Obligations
The use of sub-processors is tightly regulated under GDPR. Before a sub-processor can be engaged, the data processor must inform the data controller and obtain specific authorisation. Additionally, sub-processors must adhere to the terms of the data processing agreement, which binds them to the same level of data protection that the processor has agreed upon with the controller.
Sub-Processor Analogy
We have a child, a parent and a toy. Let’s imagine that the toy is a personal data. The child is the one that plays with the toy, he has access to they toy and may decide where to store it. However, the parent is the real owner of the toy and they decide what the child can do and can't do with the toy.
In data protection the toy is the data, the child is the processor and the parent in the controller. This means the controller establishes the rules for how the processor can use the data, and the processor must adhere to those rules.
Example of a Sub-Processor: Google Drive
Sub-processors are common in various industries where specialised services are required. For example, let’s say you use Google Drive. Google Drive (processor) chooses which servers to store data in, what security measures to put around it but ultimately you decide which data to upload to Google Drive, when to edit it and when to remove it - making you the controller.
Note: A processor doesn’t need to store personal data to be considered one; simply transmitting or accessing the data qualifies. For instance, integration tools like Zapier or Integromat are also considered processors.
How is a Sub-Processor Different From a Processor?
A processor is a party that processes personal data on behalf of the data controller, directly following the controller's instructions. In contrast, a sub-processor is a third party engaged by the processor to perform specific processing tasks on behalf of the controller.
While the processor has a direct relationship with the controller, the sub-processor is brought in by the processor to handle certain aspects of the data processing. Both are bound by GDPR requirements, but their roles and responsibilities differ based on their relationship to the data controller.
Example: Let’s say that Google Drive uses Amazon Web Services to run their servers and Mailchimp to send you an email when someone gives you access to a file. In this scenario Amazon Web Services and Mailchimp are processors to Google Drive.
When we use a processor like Google Drive - we call the processors that they use to give you a service (in this case Amazon Web Services and Mailchimp) sub-processors.
To recap: sub-processors are the processors of your processors.
Why Do You Need to Know Who Your Sub-Processors Are?
If in your company you act as a processor (the majority of SaaS are processors) then you need to have a Data Processing Agreement which is an agreement required by law that lays out your responsibilities and those of the controller.
In this agreement you need to specify who your own processors are, as they will be sub-processors for your customers. You will need to also include: the purpose for which you engage these companies and the countries where the data is being processed.
In our example - in their Data Processing Agreement Google Drive will have:
Conclusion
Engaging sub-processors is a standard practice in many businesses, but it comes with significant legal responsibilities under GDPR. Organisations must ensure that any sub-processor they work with adheres strictly to data protection obligations, safeguarding personal data at every step. Proper management and transparency are key to maintaining compliance and protecting the rights of data subjects.
FAQs about Sub-Processors
What is the main role of a sub-processor?
A sub-processor assists the primary processor by handling specific data processing tasks on behalf of the data controller. They must follow the same data protection rules as the primary processor.
Does a sub-processor need to be GDPR compliant?
Yes, sub-processors must comply with GDPR regulations and ensure that personal data is processed securely and in accordance with the contract established between the data controller and the primary processor.
Can a sub-processor be engaged without the data controller’s consent?
No, the data controller must provide prior written consent before a processor can engage a sub-processor.
What happens if a sub-processor fails to comply with GDPR?
If a sub-processor fails to comply with GDPR, the primary processor may be held liable, and the sub-processor may face penalties. It's crucial that both the processor and sub-processor maintain GDPR compliance.
Are sub-processors common in all industries?
Sub-processors are used in many industries, particularly where specialised services are needed, such as in cloud computing, data analytics, and marketing services.
Further Reading and Resources about Sub-Processors
To deepen your understanding of sub-processors and their role in data protection under GDPR, you can explore the following resources:
- European Data Protection Board (EDPB) Guide on Data Processors: A comprehensive guide that clarifies the roles of data controllers, processors, and sub-processors within the GDPR framework.
- GDPR Summary on Sub-Processors: A clear and concise summary of the definition, obligations, and examples of sub-processors under GDPR.
- RescueTime’s Sub-Processor Explanation: Practical insights into how sub-processors function in real-world applications, with examples of tools considered as sub-processors.
.png)
.png)
%20-%20what%20is%20it%2C%20explained..png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.