Who is a sub-processor?
What are the GDPR compliance obligations when dealing with sub-processors?
How do assess and manage sub-processors?
In this article, we will break down the notion of sub-processors so you know all there is to know about it.
Are you ready?
Let’s get started!
What is a sub-processor?
A sub-processor is a business or company providing services to a processor who in turn provides services to a controller in some form or fashion.
Just like a processor who must act in accordance with the instructions of a controller, a sub-processor must act in accordance with the processor’s instructions.
In reality, the processor’s instruction will be identical to the controller’s instructions as the processor is not authorized to act in any other way.
A sub-processor is an organization providing services to a processor and through which the controller’s communicated personal data will flow.
Let’s look at an example, a controller (Company A) may outsource its information technology needs to a company having a high level of expertise in the domain (Company B).
The information technology company, in turn, outsources certain of its functions to another service company (Company C) such as its cloud infrastructure.
In this chain, Company A is the controller, Company B is the processor and Company C is the sub-processor.
What is the legal definition of a sub-processor?
A sub-processor is not specifically defined under GDPR.
We can use the definition of a processor under GDPR to better understand the definition of a sub-processor.
The role of a processor and sub-processor is essentially identical.
Article 4(8) GDPR defines a “processor” as:
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
A sub-processor is therefore a natural or legal person, public authority, agency or other body that posses personal data on behalf of the processor acting on behalf of the controller.
Why hire a sub-processor?
A sub-processor is a third-party organization providing specific services to a data processor.
In the business world, it is common for organizations to focus on their core area of expertise and contract with other businesses to outsource business functions they do not have proper competencies to handle.
For example, most businesses will outsource their cloud infrastructure needs by purchasing a license from AWS, SAP or Google instead of creating their own private cloud network.
There are many advantages in outsourcing to a specialized company such as cost reduction, higher security and better overall service.
In this context, a processor who receives personal data on behalf of the controller may need to work with its own processors to adequately provide the processing services required by the controller.
Businesses inevitably need to work with suppliers, vendors and partners or other.
These are all potential sub-processors.
What are the obligations of a sub-processor?
The obligations of the sub-processor are similar to the obligations of the data processor with respect to the controller.
The processing of personal data must be governed by a binding contract on the sub-processor that sets out:
- the subject-matter of processing
- duration of the processing
- the nature and purpose of the processing
- the type of personal data
- the rights and obligations of the processor and controller
It’s important that the proper contracts be put in place with sub-processors so the processor can comply with GDPR.
Generally, the contract between the processor and sub-processor will be of a “flow-down” nature where the rights and obligations of the controller must flow down to the sub-processors.
Controller rights preserved
What’s important is that the rights and obligations of the controller must remain unchanged and unaffected when hiring a sub-processor.
The processor must ensure that the sub-processor processes personal data in accordance with the same instructions it has received from the controller.
Any deviation can result in potential risks to the chain of companies.
Controller’s prior authorization
Data processors must also obtain the prior authorization of the controller for hiring another processor or sub-processor thereby giving the controller the opportunity to object to that decision.
Typically, the data processor will outline its own processors (sub-processor to the controller) so they controller can authorize the sub-processing operations.
What to include in a sub-processing contract?
The data processing agreement must include the contractual safeguards required under GDPR.
Here are the main points to include in a sub-processor contract as required by Article 28(3) GDPR:
- The sub-processor must process personal data in accordance with the instructions of the controller as given to the processor
- The sub-processor must ensure that the sub-processing activities respect data privacy and data protection laws, particularly as outlined in GDPR
- The sub-processor must ensure that only those persons authorized to process the personal data are given access to personal data and are bound by confidentiality obligations
- The sub-processor must implement appropriate technical and organizational measures to equally protect personal data it may receive
- The sub-processor must promptly notify the processor of any actual or potential security breach
- The sub-processor must cooperate with the processor and controller to deal with any requests from data subjects or the supervisory authorities
The contractual scheme between a data processor and a sub-processor is generally referred to as “back-to-back contract” or us “flow-down clauses”.
It’s important that the sub-processor be transparent as to its international data transfers.
In other words, will the sub-processor transfer data outside of the European Union to a country not considered as “adequate”?
If so, what are the documented safeguards implemented legally authorizing such transfer?
The data processor is responsible for the actions of the sub-processor so it would be important to ensure contractually binding the sub-processor with the minimum GDPR requirements.
How to assess and manage sub-processors?
A processor must only engage sub-processors who meet the GDPR minimum requirements.
In other words, the sub-processor must process personal data on behalf of the processor providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the sub-processing activity will meet the requirements of GDPR.
The ultimate objective is that the sub-processor’s data processing activities must protect the rights and freedoms of the data subject to the same extent as the controller is obligated to do so.
Companies should assess their sub-processors based on their own defined eligibility criteria.
These eligibility criteria should form part of the contract with the sub-processor to ensure they continually meet them.
A processor can regularly audit its sub-processors to determine whether or not they continue to meet the minimum GDPR requirements or hire sub-processors who have adopted a code of conduct or are certified.
How to determine if sub-processors comply with GDPR?
In business, companies do not do everything by themselves in isolation.
As a matter of fact, a successful business is one who is able to deliver products and services within its own area of competency and build the right ecosystem of partners, suppliers and vendors to support it for everything else it may need to be successful.
This means that controllers need processors and processors need sub-processors.
That’s how business works.
However, whether a controller is hiring a processor or a processor hiring a sub-processor, they all need to respect GDPR requirements when dealing with personal data of a European data subject.
When hiring sub-processors, they will need to be assessed, managed and properly vetted.
Here are a few tips on how to manage data sub-processors.
Identify the personal data needed by sub-processor
The first step is to define what is the nature of personal data you will share with your data sub-processor.
Are you sharing special categories of data?
Are you sharing basic information on a person?
How extensively do you need to share personal data with the sub-processor?
Depending on the nature of the personal data being shared with the sub-processor, the processor must ensure the sub-processor will offer the right protections needed to comply with GDPR.
Such protections must also be to the controller’s satisfaction.
Understand the sub-processor’s data processing operations
It’s important to understand how the sub-processor will handle the controller’s personal data.
Will the sub-processor send personal data to a third country?
Is the third country considered adequate?
What is the exact processing operation of the sub-processor?
One way to understand this process is to send data processing questionnaires on a regular basis requiring the sub-processor to disclose its data processing operations.
A processor should only authorize specific data processing operations to ensure personal data is not going to be used for any purpose other than acting on behalf of the data processor.
Evaluate the sub-processor’s security safeguards
Evaluating a sub-processor’s technical and organizational security and safeguards can be done using a security questionnaire.
What security measures are implemented by the sub-processor?
Is the personal data encrypted, anonymized or pseudonymized?
Where is the data stored and how safe is it?
Who can have access to personal data?
Does the sub-processor have any security certifications such as SOC II Type II of they are running a cloud infrastructure?
The processor must obtain sufficient evidence and comfort that the sub-processor is not only committing to offering security safeguards but has implemented the proper safeguards to protect personal data.
Evaluate the sub-processor’s compliance with GDPR
Another evaluation is to verify the sub-processor’s compliance with GDPR.
Do they need to have a data protection officer?
Are they complying with GDPR in operations other than the sub-processing activities contemplated?
The overall compliance with GDPR can demonstrate a sub-processor’s seriousness with data privacy and data protection.
Who is liable for the sub-processor’s actions?
Under GDPR, the processor is liable to the controller for its data processing operations.
Similarly, the sub-processor will remain liable to the processor for its own data processing operations.
The processor will be ultimately responsible for all its sub-processors vis-à-vis the data controller.
Article 28 GDPR states:
“Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.”
The initial processor will remain “fully liable” to the controller for the performance or non-performance of the sub-processor’s obligations when dealing with personal data.
Processors should not take this responsibility lightly and ensure they properly qualify their sub-processors to avoid liability to the controller and potentially be responsible for administrative fines.
In the business world, it is inevitable for organizations to work with other businesses on functions they wish to outsource, is not core to their business or they lack the expertise.
A sub-processor is a business or company providing services to a data processor who in turn provides services to a data controller.
A sub-processor can be a natural or legal person, public authority, agency or other body processing personal data on behalf of the processor acting on behalf of the controller.
The obligations of the sub-processor are similar to the obligations of the data processor with respect to the controller.
As such, it’s important to ensure the relationship with the sub-processor is governed by a binding contract and the data processing activities in compliance with GDPR.
Data processors hiring sub-processors remain fully liable to the controller for the actions of their sub-processors.
When hiring a sub-processor, companies are advised to ensure they properly qualify and select the right business partner to mitigate risk.
We hope this article gave you the basics you need to understand what is a sub-processor and what are the GDPR compliance obligations associated with hiring a sub-processor.