When your company handles personal data and PII, chances are you’re not doing it alone. Third-party services help with everything from cloud storage to payment processing. But here’s what many businesses miss: some of these vendors are actually “subprocessors” (also spelled "sub processor") under GDPR, and that comes with specific legal obligations.
The concept of a subprocessor can be explained as a third-party service provider engaged by a data processor to handle personal data on behalf of a data controller. Getting this wrong can lead to hefty fines and compliance headaches. Yet surprisingly, many companies still don’t understand which vendors qualify as subprocessors or what they need to do about them—making it critical to identify and manage subprocessors for compliance and risk management.
Table of contents
Understanding subprocessors in simple terms
A subprocessor is any third-party entity that processes personal data on behalf of your organization. Think of it this way: if you’re a data processor for your clients, and you engage another company to help with that processing, that company becomes your subprocessor. While the term 'subprocessor' is not explicitly defined in GDPR, it is widely used in privacy frameworks to describe these third-party processors.
The relationship is hierarchical: your client (the data controller) determines the purposes of data processing, you (the processor) handle the data, and subprocessors assist in specific tasks. The data controller trusts you to handle their data properly, and when you pass some of that processing to a subprocessor, you’re still responsible for ensuring compliance throughout the entire chain.
This isn’t just about storing data in the cloud (though that’s definitely included). Subprocessors are entities that can perform services and various functions, including specific tasks such as email delivery, payment processing, analytics, or support, on behalf of the processor. When performing these tasks, subprocessors follow instructions or instructions provided by the customer to ensure data is handled according to the required directives.
The key distinction? The subprocessor must be processing data on your behalf - not just providing a general service your company uses. This nuance trips up many businesses.
GDPR requirements for subprocessors
Article 28 of the GDPR spells out the rules pretty clearly: subprocessors are heavily regulated under privacy laws like the General Data Protection Regulation (Article 28) and the CCPA. When you engage a subprocessor, you can’t just hand over the data and hope for the best. These data protection laws require specific safeguards and documentation.
First, a Data Processing Agreement (DPA) is essential when engaging subprocessors. This agreement must outline the responsibilities regarding data protection and ensure compliance with the General Data Protection Regulation. Under GDPR, explicit consent from data controllers is required before using any subprocessors to handle personal data, ensuring compliance with data protection standards.
You must have a written Data Processing Agreement with every subprocessor. These contracts must include specific clauses about data handling, confidentiality, and breach notification procedures. The GDPR doesn’t give you wiggle room here—compliance with data protection laws is a hard requirement.
Second, you must inform data subjects (and often your clients) about which subprocessors you use. Transparency isn’t optional under GDPR. People have a right to know where their data is going and who’s handling it.
The regulation also requires that subprocessors meet the same data protection standards you do. You can’t use a subprocessor as an excuse to lower your security standards. If anything, you need to be more careful because you’re responsible for their actions too.
Breach notification becomes more complex with subprocessors. Incident response plans should include the capability to notify of breaches without undue delay. Subprocessors must notify you of any security incidents within specific timeframes, and you still have your own notification obligations to supervisory authorities and data subjects.
How to identify if a vendor is a subprocessor
Not every vendor your company works with qualifies as a subprocessor. The office cleaning service probably isn’t processing personal data. Your accounting software provider might be, depending on what data they access and the context in which they interact with your systems.
The test is simple: does this vendor process, store, or transmit personal data on behalf of your organization? If yes, they’re likely a subprocessor. If they only provide general business services without accessing personal data, they’re just regular vendors. The context of their involvement—such as whether they are integrated into A/B testing, feature flagging, or customer data management workflows—determines their subprocessor status.
Here are some clear examples to help you categorize your vendors and illustrate best practices in transparency and security:
Definitely subprocessors (applicable to services handling customer data):
-
Cloud hosting providers storing customer databases
-
Email marketing platforms sending campaigns with customer data
-
Payment processors handling customer payment information
-
Customer support platforms storing communication records and implementing robust customer support privacy controls
-
Analytics services processing user behavior data (for example, tools like Google Analytics)
Usually not subprocessors (applicable to general business operations):
-
Office supply vendors
-
Facilities management companies
-
General business insurance providers
-
Legal services (unless they’re handling your data processing activities)
-
Marketing agencies that don’t access your customer data
The gray area comes with services like project management tools or communication platforms. If these tools contain personal data from your processing activities, they could qualify as subprocessors depending on the applicable use case.
When in doubt, err on the side of caution. Treating a vendor as a subprocessor when they might not be costs you some administrative overhead. Missing a real subprocessor relationship can cost you regulatory fines.
Legal obligations when working with subprocessors
Your legal responsibilities don’t end when you sign a contract with a subprocessor. GDPR creates ongoing obligations that many companies underestimate. Effective evaluation of subprocessors involves ensuring these entities adhere to the same legal and regulatory requirements as your organization.
You must conduct due diligence before engaging any subprocessor entity, following structured GDPR subprocessor management practices. This means evaluating their security measures, checking their certifications, and assessing their ability to meet GDPR requirements. The scope of activities subprocessors are allowed to perform should be limited to what is necessary, helping to maintain the integrity of personal data throughout the processing chain. A pretty website and good sales pitch aren’t enough.
Ongoing monitoring is required too. You can’t just check a subprocessor entity’s credentials once and forget about them. Regular audits, security assessments, and contract reviews are part of maintaining compliance and ensuring the continued integrity and security of data.
Data processing agreements (DPAs) must contain specific clauses mandated by GDPR. These aren’t suggestions - they’re legal requirements. The agreement must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the categories of data subjects. Your contract should explicitly grant you the right to perform audits or inspections of their compliance measures.
You’re also responsible for ensuring subprocessors only engage their own sub-subprocessors with your written consent. Yes, the chain can go deeper, and you need visibility and control over each level.
Breach notification procedures require careful coordination. Subprocessors must notify you of any personal data breaches without undue delay. You then have your own notification timelines to meet with supervisory authorities and affected individuals.
Common types of subprocessors
Most businesses work with similar categories of subprocessors, even if they don’t realize it. Subprocessors play a crucial role in extending the capabilities of primary processors by taking on specific tasks, which allows primary processors to focus on their core functions. Understanding these common types helps you identify gaps in your compliance program.
Cloud infrastructure providers top the list for most companies. Amazon Web Services, Google Cloud Platform, and Microsoft Azure store and process enormous amounts of personal data on behalf of their customers. These subprocessors operate and maintain the equipment and infrastructure that enhance platform capabilities and ensure the security and availability of Customer Data, often across multiple geographic locations. These relationships definitely require proper Data Processing Agreements and ongoing oversight.
Software-as-a-Service (SaaS) platforms often qualify as subprocessors. Customer relationship management systems, human resources platforms, accounting software, and project management tools frequently contain personal data, and platforms like Salesforce CRM privacy setups illustrate how deeply these tools integrate with your processing activities. These third-party services enable functionalities such as robust analytics, workflow automation, and customer engagement, and perform processing activities to help you fulfill your own processing obligations.
Communication service providers include email delivery services, SMS platforms, and customer support systems. If these services access personal data to send communications on your behalf, they’re subprocessors requiring proper contracts and oversight. These providers enable targeted communication and perform essential messaging functions.
Payment processing services obviously handle sensitive personal data. Credit card processors, digital wallets, and billing platforms need robust security measures and clear contractual obligations about data handling. These subprocessors perform transaction processing and enable secure payments across various locations.
Analytics and tracking services collect and process personal data about website visitors and app users. Google Analytics, heat mapping tools, and user behavior tracking platforms often qualify as subprocessors for companies using them to understand customer behavior. These services enhance your ability to analyze user engagement and perform data-driven decision-making.
The table below shows common subprocessor categories and their typical functions. Common services provided by subprocessors include cloud storage, payment processing, email delivery, and CRM, often performed across different locations:
| Subprocessor type | Function | Data processed |
|---|---|---|
| Cloud hosting | Infrastructure and storage; operate and maintain equipment in various locations | All personal data in hosted systems |
| Email services | Marketing and transactional emails; enable targeted communication | Customer contact information, communication preferences |
| Payment processors | Transaction processing; perform secure payments | Payment card data, billing information |
| CRM platforms | Customer relationship management; enable enhanced engagement | Contact details, interaction history, preferences |
| Support platforms | Customer service; perform support activities in multiple locations | Support tickets, communication records |
| Analytics services | Usage tracking and analysis; enhance data insights | User behavior data, demographics |
Data processing agreements with subprocessors
Data processing agreements aren’t just paperwork - they’re your primary tool for maintaining compliance and ensuring data security when working with subprocessors. GDPR Article 28 specifies exactly what these agreements must contain.
The agreement must clearly define what personal data and PII the subprocessor can access and how they can use it. Vague language like “customer data” won’t cut it. You need specific descriptions of data categories and processing purposes.
Security measures require detailed specification to keep data secure. The DPA should outline technical and organizational measures the subprocessor must implement. This includes encryption requirements—specifically, verifying that data is encrypted both in transit (TLS 1.2+) and at rest (AES-256)—as well as access controls, employee training, and incident response procedures.
Data subject rights create interesting challenges in subprocessor agreements. The contract must specify how the subprocessor will assist you in responding to data subject requests for access, rectification, erasure, or portability. These aren’t theoretical requirements - real people make these requests regularly.
International data transfer provisions need careful attention if your subprocessor operates outside the European Economic Area. The agreement must include appropriate safeguards like Standard Contractual Clauses or reference adequacy decisions for the destination country.
Audit rights often get overlooked but they’re required by GDPR. Subprocessors in DPAs are managed via strict clauses requiring prior authorization, binding contracts (sub-DPA), and ongoing security monitoring to ensure GDPR compliance. Your agreement must give you the right to audit the subprocessor’s compliance measures. This can be through on-site inspections, third-party certifications, or detailed questionnaires.
Termination and data return clauses protect you when relationships end. The agreement should specify how quickly the subprocessor must return or delete personal data when the contract terminates, and what documentation they must provide to prove deletion occurred.
Managing subprocessor relationships
Good subprocessor management goes beyond signing contracts. You need systems and processes to maintain oversight throughout the relationship lifecycle, involving multiple units and organizations within your company.
Start with a comprehensive inventory of all your subprocessors, supported by appropriate GDPR compliance tools. Many organizations discover they have more subprocessor relationships than they realized when they actually map out all their vendor relationships and data flows, including the specific units or physical locations where data is processed.
Create a standard evaluation process for new subprocessors and monitor performance via a structured GDPR compliance dashboard. This should include security questionnaires, reference checks, and a review of third-party audits and certifications such as SOC 2 Type II or ISO 27001 as baseline indicators of their security posture. Don’t skip this step even for well-known entities.
Implement regular review cycles for existing subprocessors, aligning them with your broader GDPR compliance implementation roadmap. Business needs change, security threats evolve, and regulatory requirements get updated. Annual reviews help you catch problems before they become compliance violations and ensure each entity continues to fulfill its required functions securely.
Document everything. Keep records of your due diligence activities, contract negotiations, security assessments, and any incidents or issues that arise. Supervisory authorities may request this documentation during investigations.
Monitor public information about your subprocessors. Security breaches, regulatory actions, and business changes at subprocessor entities can affect your compliance posture. Set up Google alerts or use monitoring services to stay informed.
Train your team on subprocessor requirements. Legal, procurement, and operations units all play roles in subprocessor management. Everyone in your organization needs to understand when GDPR obligations apply and what steps to take.
Subprocessor notification requirements
GDPR requires transparency about subprocessor relationships, but the specific notification requirements depend on your role in the data processing chain, the applicable region, and your contracts with data controllers.
If you’re a processor working for data controllers, you typically must inform controllers about your subprocessors. This can happen through direct notification, maintaining publicly available lists, or including subprocessor information in your contracts. It is important that customers receive notifications about important updates, such as changes to subprocessors or their processing activities.
Many processors maintain subprocessor lists on their websites. These lists should include the subprocessor name, locations where they operate, the region covered, and a general description of services provided. Keeping these lists current requires ongoing attention as vendor relationships change.
Some data controllers require advance notice before you engage new subprocessors. Your contract with the controller should specify notification timelines, the applicable subprocessors or regions, and whether the controller has veto rights over your subprocessor choices.
Changes to existing subprocessor relationships may also trigger notification requirements. If a subprocessor moves data to a new location, changes ownership, or significantly modifies their security practices, you may need to inform data controllers.
Subprocessors may require access to customer data in order to respond to customer-initiated requests or technical issues. This access is typically limited and authorized to ensure privacy and security.
Data subjects don’t typically receive direct notification about subprocessors, but they have the right to request information about who is processing their data. Your privacy notices should explain how people can get details about your subprocessors.
The notification burden increases with the complexity of your processing activities. Companies with multiple product lines, various data types, and numerous subprocessors need sophisticated tracking systems to maintain compliance.
Risk assessment and due diligence
Due diligence isn’t a one-time checkbox exercise. Effective subprocessor risk management requires ongoing assessment and monitoring throughout the relationship lifecycle to ensure secure handling of data and maintain data integrity, while applying GDPR data minimization principles.
Start with security questionnaires tailored to the specific, limited activities the subprocessor entity will provide. Generic questionnaires miss important risks specific to different types of processing activities. Payment processors need different scrutiny than email service providers.
Review the subprocessor entity’s security certifications, but don’t rely on them exclusively. SOC 2 Type II reports, ISO 27001 certificates, and similar credentials provide valuable information, but you need to understand what they cover and what gaps might exist in maintaining the integrity and security of your data.
Assess the subprocessor’s incident response capabilities. How quickly do they detect security incidents? What notification procedures do they follow? How do they contain and remediate problems? These capabilities directly affect your own compliance obligations and the secure management of data.
Evaluate business continuity and disaster recovery plans, including Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), as part of a broader GDPR compliance maturity framework. If your subprocessor entity experiences operational problems, how will that affect your ability to meet obligations to data controllers and data subjects? Understanding these dependencies helps you plan appropriate contingencies and maintain service integrity during disruptions.
Consider the subprocessor entity’s financial stability and business model. Companies going through financial difficulties, major ownership changes, or strategic pivots may not maintain consistent security and compliance standards.
Geographic and political risk factors matter too, especially for international data transfers that may require formal Data Transfer Impact Assessments (DTIAs). For example, if your subprocessor entity operates in Canada or another region outside your own, verify they have legal safeguards in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to ensure secure and compliant data processing.
Document your risk assessment decisions and the mitigation measures you implement. This documentation demonstrates to supervisory authorities that you’re taking your obligations seriously and making informed decisions about subprocessor relationships, with a focus on data integrity and secure practices.
International data transfers through subprocessors
Subprocessor relationships often involve international data transfers, adding another layer of GDPR compliance complexity that must be reflected in your records of processing activities. Many popular cloud services and SaaS platforms operate globally, potentially moving your data across multiple regions and locations, such as France, the United Kingdom (including London), the United States (including San Francisco), and jurisdictions covered by the Australia Privacy Act and APPs. Each entity acting as a subprocessor may process data in different geographic locations, so understanding the region where your data is handled is essential for compliance.
Adequacy decisions provide the simplest path for international transfers. If your subprocessor entity operates in a region or country with an adequacy decision from the European Commission, transfers can proceed without additional safeguards. But these decisions can change, so monitor their status regularly.
Standard Contractual Clauses (SCCs) offer an alternative when adequacy decisions aren’t available and are a core part of many organizations’ DTIA requirements for international data transfers. The European Commission provides template clauses for different types of relationships, including processor-to-subprocessor transfers. These clauses must be incorporated exactly as provided.
Transfer impact assessments become necessary when using SCCs or other transfer mechanisms. You must evaluate whether the destination region’s laws or practices might prevent the subprocessor entity from fulfilling their contractual obligations to protect personal data.
Some subprocessors offer data residency controls that limit where your data is stored and processed, allowing you to select specific locations or regions for data handling. These controls can simplify compliance but often come with additional costs and potential performance impacts.
Binding Corporate Rules (BCRs) provide another option for transfers within multinational corporate groups. If your subprocessor entity has approved BCRs covering their global operations, transfers within their corporate group may not require additional safeguards.
Transparency about which entities process your data and their locations is critical. Failing to disclose information about subprocessors can lead to significant consequences, including fines under GDPR and damage to your company’s reputation, as users increasingly expect transparency.
Government access to data represents a particular challenge for international transfers, especially as GDPR requirements evolve toward 2025. Many countries have laws requiring local companies to provide data to authorities upon request. Understanding these requirements and their potential impact on your data protection obligations is crucial.
Common compliance mistakes to avoid
Even well-intentioned companies make predictable mistakes when managing subprocessor relationships. Learning from common errors helps you avoid expensive compliance problems.
Treating all vendors as subprocessors creates unnecessary administrative burden. Focus your compliance efforts on vendors that actually process personal data on your behalf. Office supply companies and general business service providers usually don’t need DPAs.
Using inadequate contracts remains surprisingly common. Standard vendor agreements typically don’t include required GDPR clauses for subprocessor relationships. Make sure your contracts address all Article 28 requirements specifically and comply with relevant data protection laws.
Forgetting about sub-subprocessors creates compliance gaps. When your subprocessor engages their own vendors to help fulfill services to you, those relationships need oversight too. Your contracts should require written consent before subprocessors engage sub-subprocessors, and ensure that these entities are only permitted limited activities as necessary for service delivery.
Inadequate due diligence leads to problems down the road. Checking a vendor’s website and getting a sales demo isn’t sufficient due diligence for subprocessor relationships. You need detailed security assessments and ongoing monitoring to ensure each entity complies with data protection laws.
Poor incident response coordination causes compliance failures when problems occur. Make sure you understand how subprocessors will notify you of security incidents and that you can meet your own notification timelines to authorities and data subjects.
Ignoring contract renewal opportunities means missing chances to improve your compliance posture. When subprocessor contracts come up for renewal, review whether your requirements have changed and whether the vendor’s capabilities still meet your needs.
Failing to maintain current subprocessor lists creates transparency problems. Data protection laws require transparency, and subprocessors are heavily regulated. If you publish lists of subprocessors or commit to notifying data controllers about changes, you need processes to keep that information accurate and up-to-date.
Building a subprocessor management program
Effective subprocessor management requires more than good intentions and occasional attention. You need systematic processes that scale with your business and adapt to changing requirements, supporting operational scale across each unit of your organization.
Start by appointing clear ownership for subprocessor compliance. This might be your data protection officer, legal team, or procurement function, but someone needs to be accountable for maintaining oversight of these relationships and the entities involved.
Develop standard procedures for evaluating and onboarding new subprocessors that align with broader GDPR guidance for SaaS companies. This should include security assessments, contract negotiations, and approval workflows that ensure GDPR requirements are met before any data processing begins. Assess the specific functions each subprocessor entity will perform and the context in which they will be integrated, such as A/B testing, feature flagging, or customer data management.
Create a central repository for subprocessor documentation. This should include contracts, security assessments, audit reports, incident notifications, and any other relevant information. Good organization helps during supervisory authority investigations and enhances your ability to demonstrate compliance.
Implement monitoring and review processes for ongoing relationships. Set up regular check-ins with key subprocessor entities, monitor their security posture, and stay informed about changes to their business or operations that might affect compliance. Maintaining data integrity and secure processing is essential to protect personal data and ensure ongoing compliance.
Establish clear escalation procedures for problems or incidents. When a subprocessor reports a security breach or fails to meet contractual obligations, you need predefined processes for response and remediation.
Train relevant staff on subprocessor requirements and your internal procedures. Legal, procurement, IT, and business teams all interact with subprocessors in different ways. Everyone needs to understand their role in maintaining compliance and supporting the secure and compliant integration of subprocessor functions.
Consider using GDPR compliance tools and other technology solutions to help manage complexity. As your subprocessor relationships grow in number and complexity, spreadsheets and email become inadequate for tracking obligations and deadlines.
Regular program audits help you identify gaps and improvement opportunities, feeding into your overall GDPR compliance maturity model. External auditors or internal audit teams can provide valuable perspective on whether your subprocessor management practices meet current requirements and industry best practices, and enhance your compliance program.
The challenge with subprocessor compliance isn’t just understanding the requirements - it’s implementing sustainable processes that work as your business grows and changes. Companies that invest in proper subprocessor management programs find they can scale their operations while maintaining regulatory compliance and data integrity.
Using specialized compliance software platforms streamlines many aspects of subprocessor management. These tools can automate contract tracking, centralize documentation, monitor vendor security postures, and maintain audit trails that demonstrate compliance to supervisory authorities. For companies serious about GDPR compliance, ComplyDog provides comprehensive functionality to manage subprocessor relationships alongside other data protection obligations, creating an integrated approach to privacy compliance that scales with your business needs.
