← Glossary·Privacy

Sub-Processor

GDPR

A third party engaged by a processor to carry out specific processing activities on behalf of a controller.

A sub-processor is a vendor engaged by a data processor to perform processing activities on behalf of the original controller. Engaging or replacing a sub-processor requires the controller's prior specific or general written authorisation (GDPR Art. 28(2)).

Why it matters
Maintaining a public sub-processor list with email notification is now table-stakes for B2B SaaS sales. Failing to notify before adding a new sub-processor breaches most DPAs.

Related terms

Data Processor
An entity processing personal data on behalf of a controller, governed by a written DPA (GDPR Art. 28).
Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.

Does your program actually cover Sub-Processor?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary