When your company handles personal data, chances are you're not doing it alone. Third-party services help with everything from cloud storage to payment processing. But here's what many businesses miss: some of these vendors are actually "subprocessors" under GDPR, and that comes with specific legal obligations.
Getting this wrong can lead to hefty fines and compliance headaches. Yet surprisingly, many companies still don't understand which vendors qualify as subprocessors or what they need to do about them.
Table of contents
- Understanding subprocessors in simple terms
- GDPR requirements for subprocessors
- How to identify if a vendor is a subprocessor
- Legal obligations when working with subprocessors
- Common types of subprocessors
- Data processing agreements with subprocessors
- Managing subprocessor relationships
- Subprocessor notification requirements
- Risk assessment and due diligence
- International data transfers through subprocessors
- Common compliance mistakes to avoid
- Building a subprocessor management program
Understanding subprocessors in simple terms
A subprocessor is any third-party company that processes personal data on behalf of your organization. Think of it this way: if you're a data processor for your clients, and you engage another company to help with that processing, that company becomes your subprocessor.
The relationship creates a chain of responsibility. Your client (the data controller) trusts you to handle their data properly. When you pass some of that processing to a subprocessor, you're still responsible for ensuring compliance throughout the entire chain.
This isn't just about storing data in the cloud (though that's definitely included). Subprocessors can be email service providers, payment processors, analytics platforms, or any service that touches personal data while helping you fulfill your obligations to clients.
The key distinction? The subprocessor must be processing data on your behalf - not just providing a general service your company uses. This nuance trips up many businesses.
GDPR requirements for subprocessors
Article 28 of GDPR spells out the rules pretty clearly. When you engage a subprocessor, you can't just hand over the data and hope for the best. The regulation requires specific safeguards and documentation.
First, you need written contracts with every subprocessor. These contracts must include specific clauses about data protection, security measures, and breach notification procedures. The GDPR doesn't give you wiggle room here - it's a hard requirement.
Second, you must inform data subjects (and often your clients) about which subprocessors you use. Transparency isn't optional under GDPR. People have a right to know where their data is going and who's handling it.
The regulation also requires that subprocessors meet the same data protection standards you do. You can't use a subprocessor as an excuse to lower your security standards. If anything, you need to be more careful because you're responsible for their actions too.
Breach notification becomes more complex with subprocessors. They must notify you of any security incidents within specific timeframes, and you still have your own notification obligations to supervisory authorities and data subjects.
How to identify if a vendor is a subprocessor
Not every vendor your company works with qualifies as a subprocessor. The office cleaning service probably isn't processing personal data. Your accounting software provider might be, depending on what data they access.
The test is simple: does this vendor process, store, or transmit personal data on behalf of your organization? If yes, they're likely a subprocessor. If they only provide general business services without accessing personal data, they're just regular vendors.
Here are some clear examples to help you categorize your vendors:
Definitely subprocessors:
- Cloud hosting providers storing customer databases
- Email marketing platforms sending campaigns with customer data
- Payment processors handling customer payment information
- Customer support platforms storing communication records
- Analytics services processing user behavior data
Usually not subprocessors:
- Office supply vendors
- Facilities management companies
- General business insurance providers
- Legal services (unless they're handling your data processing activities)
- Marketing agencies that don't access your customer data
The gray area comes with services like project management tools or communication platforms. If these tools contain personal data from your processing activities, they could qualify as subprocessors.
When in doubt, err on the side of caution. Treating a vendor as a subprocessor when they might not be costs you some administrative overhead. Missing a real subprocessor relationship can cost you regulatory fines.
Legal obligations when working with subprocessors
Your legal responsibilities don't end when you sign a contract with a subprocessor. GDPR creates ongoing obligations that many companies underestimate.
You must conduct due diligence before engaging any subprocessor. This means evaluating their security measures, checking their certifications, and assessing their ability to meet GDPR requirements. A pretty website and good sales pitch aren't enough.
Ongoing monitoring is required too. You can't just check a subprocessor's credentials once and forget about them. Regular audits, security assessments, and contract reviews are part of maintaining compliance.
Data processing agreements (DPAs) must contain specific clauses mandated by GDPR. These aren't suggestions - they're legal requirements. The agreement must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the categories of data subjects.
You're also responsible for ensuring subprocessors only engage their own sub-subprocessors with your written consent. Yes, the chain can go deeper, and you need visibility and control over each level.
Breach notification procedures require careful coordination. Subprocessors must notify you of any personal data breaches without undue delay. You then have your own notification timelines to meet with supervisory authorities and affected individuals.
Common types of subprocessors
Most businesses work with similar categories of subprocessors, even if they don't realize it. Understanding these common types helps you identify gaps in your compliance program.
Cloud infrastructure providers top the list for most companies. Amazon Web Services, Google Cloud Platform, and Microsoft Azure store and process enormous amounts of personal data on behalf of their customers. These relationships definitely require proper DPAs and ongoing oversight.
Software-as-a-Service (SaaS) platforms often qualify as subprocessors. Customer relationship management systems, human resources platforms, accounting software, and project management tools frequently contain personal data. The key question is whether they're processing that data to help you fulfill your own processing obligations.
Communication service providers include email delivery services, SMS platforms, and customer support systems. If these services access personal data to send communications on your behalf, they're subprocessors requiring proper contracts and oversight.
Payment processing services obviously handle sensitive personal data. Credit card processors, digital wallets, and billing platforms need robust security measures and clear contractual obligations about data handling.
Analytics and tracking services collect and process personal data about website visitors and app users. Google Analytics, heat mapping tools, and user behavior tracking platforms often qualify as subprocessors for companies using them to understand customer behavior.
The table below shows common subprocessor categories and their typical functions:
| Subprocessor type | Function | Data processed |
|---|---|---|
| Cloud hosting | Infrastructure and storage | All personal data in hosted systems |
| Email services | Marketing and transactional emails | Customer contact information, communication preferences |
| Payment processors | Transaction processing | Payment card data, billing information |
| CRM platforms | Customer relationship management | Contact details, interaction history, preferences |
| Support platforms | Customer service | Support tickets, communication records |
| Analytics services | Usage tracking and analysis | User behavior data, demographics |
Data processing agreements with subprocessors
Data processing agreements aren't just paperwork - they're your primary tool for maintaining compliance when working with subprocessors. GDPR Article 28 specifies exactly what these agreements must contain.
The agreement must clearly define what personal data the subprocessor can access and how they can use it. Vague language like "customer data" won't cut it. You need specific descriptions of data categories and processing purposes.
Security measures require detailed specification. The DPA should outline technical and organizational measures the subprocessor must implement. This includes encryption requirements, access controls, employee training, and incident response procedures.
Data subject rights create interesting challenges in subprocessor agreements. The contract must specify how the subprocessor will assist you in responding to data subject requests for access, rectification, erasure, or portability. These aren't theoretical requirements - real people make these requests regularly.
International data transfer provisions need careful attention if your subprocessor operates outside the European Economic Area. The agreement must include appropriate safeguards like Standard Contractual Clauses or reference adequacy decisions for the destination country.
Audit rights often get overlooked but they're required by GDPR. Your agreement must give you the right to audit the subprocessor's compliance measures. This can be through on-site inspections, third-party certifications, or detailed questionnaires.
Termination and data return clauses protect you when relationships end. The agreement should specify how quickly the subprocessor must return or delete personal data when the contract terminates, and what documentation they must provide to prove deletion occurred.
Managing subprocessor relationships
Good subprocessor management goes beyond signing contracts. You need systems and processes to maintain oversight throughout the relationship lifecycle.
Start with a comprehensive inventory of all your subprocessors. Many companies discover they have more subprocessor relationships than they realized when they actually map out all their vendor relationships and data flows.
Create a standard evaluation process for new subprocessors. This should include security questionnaires, reference checks, and review of relevant certifications like SOC 2 or ISO 27001. Don't skip this step even for well-known vendors.
Implement regular review cycles for existing subprocessors. Business needs change, security threats evolve, and regulatory requirements get updated. Annual reviews help you catch problems before they become compliance violations.
Document everything. Keep records of your due diligence activities, contract negotiations, security assessments, and any incidents or issues that arise. Supervisory authorities may request this documentation during investigations.
Monitor public information about your subprocessors. Security breaches, regulatory actions, and business changes at subprocessor companies can affect your compliance posture. Set up Google alerts or use monitoring services to stay informed.
Train your team on subprocessor requirements. Legal, procurement, and operations teams all play roles in subprocessor management. Everyone needs to understand when GDPR obligations apply and what steps to take.
Subprocessor notification requirements
GDPR requires transparency about subprocessor relationships, but the specific notification requirements depend on your role in the data processing chain and your contracts with data controllers.
If you're a processor working for data controllers, you typically must inform controllers about your subprocessors. This can happen through direct notification, maintaining publicly available lists, or including subprocessor information in your contracts.
Many processors maintain subprocessor lists on their websites. These lists should include the subprocessor name, location, and general description of services provided. Keeping these lists current requires ongoing attention as vendor relationships change.
Some data controllers require advance notice before you engage new subprocessors. Your contract with the controller should specify notification timelines and whether the controller has veto rights over your subprocessor choices.
Changes to existing subprocessor relationships may also trigger notification requirements. If a subprocessor moves data to a new location, changes ownership, or significantly modifies their security practices, you may need to inform data controllers.
Data subjects don't typically receive direct notification about subprocessors, but they have the right to request information about who is processing their data. Your privacy notices should explain how people can get details about your subprocessors.
The notification burden increases with the complexity of your processing activities. Companies with multiple product lines, various data types, and numerous subprocessors need sophisticated tracking systems to maintain compliance.
Risk assessment and due diligence
Due diligence isn't a one-time checkbox exercise. Effective subprocessor risk management requires ongoing assessment and monitoring throughout the relationship lifecycle.
Start with security questionnaires tailored to the specific services the subprocessor will provide. Generic questionnaires miss important risks specific to different types of processing activities. Payment processors need different scrutiny than email service providers.
Review the subprocessor's security certifications, but don't rely on them exclusively. SOC 2 Type II reports, ISO 27001 certificates, and similar credentials provide valuable information, but you need to understand what they cover and what gaps might exist.
Assess the subprocessor's incident response capabilities. How quickly do they detect security incidents? What notification procedures do they follow? How do they contain and remediate problems? These capabilities directly affect your own compliance obligations.
Evaluate business continuity and disaster recovery plans. If your subprocessor experiences operational problems, how will that affect your ability to meet obligations to data controllers and data subjects? Understanding these dependencies helps you plan appropriate contingencies.
Consider the subprocessor's financial stability and business model. Companies going through financial difficulties, major ownership changes, or strategic pivots may not maintain consistent security and compliance standards.
Geographic and political risk factors matter too, especially for international data transfers. Political instability, changing privacy laws, and government surveillance programs in the subprocessor's location can create compliance risks for your organization.
Document your risk assessment decisions and the mitigation measures you implement. This documentation demonstrates to supervisory authorities that you're taking your obligations seriously and making informed decisions about subprocessor relationships.
International data transfers through subprocessors
Subprocessor relationships often involve international data transfers, adding another layer of GDPR compliance complexity. Many popular cloud services and SaaS platforms operate globally, potentially moving your data across multiple jurisdictions.
Adequacy decisions provide the simplest path for international transfers. If your subprocessor operates in a country with an adequacy decision from the European Commission, transfers can proceed without additional safeguards. But these decisions can change, so monitor their status regularly.
Standard Contractual Clauses (SCCs) offer an alternative when adequacy decisions aren't available. The European Commission provides template clauses for different types of relationships, including processor-to-subprocessor transfers. These clauses must be incorporated exactly as provided.
Transfer impact assessments become necessary when using SCCs or other transfer mechanisms. You must evaluate whether the destination country's laws or practices might prevent the subprocessor from fulfilling their contractual obligations to protect personal data.
Some subprocessors offer data residency controls that limit where your data is stored and processed. These controls can simplify compliance but often come with additional costs and potential performance impacts.
Binding Corporate Rules (BCRs) provide another option for transfers within multinational corporate groups. If your subprocessor has approved BCRs covering their global operations, transfers within their corporate group may not require additional safeguards.
Government access to data represents a particular challenge for international transfers. Many countries have laws requiring local companies to provide data to authorities upon request. Understanding these requirements and their potential impact on your data protection obligations is crucial.
Common compliance mistakes to avoid
Even well-intentioned companies make predictable mistakes when managing subprocessor relationships. Learning from common errors helps you avoid expensive compliance problems.
Treating all vendors as subprocessors creates unnecessary administrative burden. Focus your compliance efforts on vendors that actually process personal data on your behalf. Office supply companies and general business service providers usually don't need DPAs.
Using inadequate contracts remains surprisingly common. Standard vendor agreements typically don't include required GDPR clauses for subprocessor relationships. Make sure your contracts address all Article 28 requirements specifically.
Forgetting about sub-subprocessors creates compliance gaps. When your subprocessor engages their own vendors to help fulfill services to you, those relationships need oversight too. Your contracts should require written consent before subprocessors engage sub-subprocessors.
Inadequate due diligence leads to problems down the road. Checking a vendor's website and getting a sales demo isn't sufficient due diligence for subprocessor relationships. You need detailed security assessments and ongoing monitoring.
Poor incident response coordination causes compliance failures when problems occur. Make sure you understand how subprocessors will notify you of security incidents and that you can meet your own notification timelines to authorities and data subjects.
Ignoring contract renewal opportunities means missing chances to improve your compliance posture. When subprocessor contracts come up for renewal, review whether your requirements have changed and whether the vendor's capabilities still meet your needs.
Failing to maintain current subprocessor lists creates transparency problems. If you publish lists of subprocessors or commit to notifying data controllers about changes, you need processes to keep that information accurate and up-to-date.
Building a subprocessor management program
Effective subprocessor management requires more than good intentions and occasional attention. You need systematic processes that scale with your business and adapt to changing requirements.
Start by appointing clear ownership for subprocessor compliance. This might be your data protection officer, legal team, or procurement function, but someone needs to be accountable for maintaining oversight of these relationships.
Develop standard procedures for evaluating and onboarding new subprocessors. This should include security assessments, contract negotiations, and approval workflows that ensure GDPR requirements are met before any data processing begins.
Create a central repository for subprocessor documentation. This should include contracts, security assessments, audit reports, incident notifications, and any other relevant information. Good organization helps during supervisory authority investigations.
Implement monitoring and review processes for ongoing relationships. Set up regular check-ins with key subprocessors, monitor their security posture, and stay informed about changes to their business or operations that might affect compliance.
Establish clear escalation procedures for problems or incidents. When a subprocessor reports a security breach or fails to meet contractual obligations, you need predefined processes for response and remediation.
Train relevant staff on subprocessor requirements and your internal procedures. Legal, procurement, IT, and business teams all interact with subprocessors in different ways. Everyone needs to understand their role in maintaining compliance.
Consider using technology solutions to help manage complexity. As your subprocessor relationships grow in number and complexity, spreadsheets and email become inadequate for tracking obligations and deadlines.
Regular program audits help you identify gaps and improvement opportunities. External auditors or internal audit teams can provide valuable perspective on whether your subprocessor management practices meet current requirements and industry best practices.
The challenge with subprocessor compliance isn't just understanding the requirements - it's implementing sustainable processes that work as your business grows and changes. Companies that invest in proper subprocessor management programs find they can scale their operations while maintaining regulatory compliance.
Using specialized compliance software platforms streamlines many aspects of subprocessor management. These tools can automate contract tracking, centralize documentation, monitor vendor security postures, and maintain audit trails that demonstrate compliance to supervisory authorities. For companies serious about GDPR compliance, ComplyDog provides comprehensive functionality to manage subprocessor relationships alongside other data protection obligations, creating an integrated approach to privacy compliance that scales with your business needs.
