What is a subprocessor under GDPR?

I am a data processor of my client, but who is a sub-processor?

You're a processor when a customer trusts you to handle their data. But often, you won't do all the work yourself. Sometimes, you use third-party services, like cloud storage.

These third parties that help you with your job are called sub-processors. 👉 In other words, sub-processors are the companies you use to handle your customer's data.

Why is a sub-processor list necessary in your DPA?

To follow the law under GDPR, companies need to handle personal data correctly.

A list of sub-processors in your DPA helps everyone stay informed and legal. This list lets your customer know who else is using their data. It also ensures these other companies are also following the law.

How should a sub-processor list look like?

Your sub-processor list should detail every third-party service you use to handle your customer's data. This includes:

• Name: Who the sub-processor is.
• Address: Where the sub-processor is.
• DPA: A link or reference to the agreement between you and the sub-processor.
• Purpose and details: What job the sub-processor is doing for you.
• Contact: The contact of the sub-processor, ideally their privacy team.

Here's an example:

This list covers:

• Who's processing the data.
• Where the data is being processed.
• The legal agreement (the DPA).
• Why the data is being processed.
• What to contact.

💡 In your DPA, you should include a URL that references your sub-processor list. You can also add the whole list to your Appendix.

Remember, your sub-processor list needs to stay updated. Review it regularly and update it whenever you start using a new sub-processor, or stop using one.

Next steps

Eager to have your DPA template right away? Talk with our DPA expert now and request a DPA by answering our simple questionnaire.