Sub-Processor

A third party engaged by a data processor to perform specific processing activities on behalf of the data controller, creating a chain of processing relationships. Under GDPR Article 28(2), processors must obtain specific or general written authorization from controllers before engaging sub-processors. General authorization allows processors to engage sub-processors provided they inform controllers of changes and allow objections within reasonable timeframes. Sub-processors must agree to substantially the same data protection obligations as the original processor through written contracts. The original processor remains liable to the controller for the sub-processor's performance. Common sub-processor scenarios include: SaaS providers using cloud hosting services, email marketing platforms using delivery infrastructure, or payroll processors using tax calculation services. Organizations should: maintain current sub-processor lists, notify customers of sub-processor changes, allow objection/termination rights, ensure sub-processor contracts contain required terms, conduct due diligence on sub-processors' security and compliance, and flow down relevant contractual obligations through the processing chain.