Table of Contents
The UK General Data Protection Regulation (UK GDPR) is the fundamental law in the UK regulating the use of personal data. Under this law, various rules exist for different parties in a data processing relationship. It is common for data processors to engage the assistance of further processors, commonly known as ‘data sub-processors’. However, data processors should note several data protection compliance considerations apply when engaging third-party sub-processors. This article will explore what a data sub-processor is and critical considerations for data processors regarding their use.
What Is a Sub-Processor’s Role?
Understanding the roles of data controllers and data processors within the UK GDPR framework is crucial. This distinction is vital for understanding each party’s role in accountability when processing personal data caught within the scope of the UK GDPR.
While data controllers are responsible for determining the purposes and means of processing personal data, data processors process personal data on behalf of the controller.
This factsheet sets out how your business can become GDPR compliant.
A ‘data sub-processor’ is a third party that a data processor engages to assist with personal data processing on behalf of the controller. Data processors typically engage them to process the data controller’s data for specific purposes.
For example, a data processor may engage a cloud storage provider to store personal data, which it processes on behalf of a data controller customer. In such cases, the cloud storage provider acts as a sub-processor, processing personal data on the controller’s behalf through the data processor’s instructions.
What Are Some Key Considerations for Sub-Processor Relationships?
If your business processes data as a processor, there are vital issues to note when engaging a third-party subprocessor.
Three of the critical issues to consider, amongst others, are as follows:
Have You Carried Out Due Diligence?
Appointing a sub-processor is a high risk. Processors should safeguard themselves from liability by conducting detailed due diligence on potential sub-processors to ensure compliance with UK GDPR data processing standards.
Processors should precisely document their due diligence efforts, conduct regular audits or reviews, and maintain records of all data categories processed by sub-processors so they are readily available for data protection regulators upon request.
Have You Obtained Authorisation from the Controller?
The UK GDPR imposes strict rules on sub-processors’ engagement by processors, requiring prior written authorisation from the controller, either specific or general. If granted general authorisation, the processor must notify the controller of any changes, offering the controller the opportunity to object.
For practical purposes, contractual agreements between controllers and processors often grant the processor the authority to appoint sub-processors. At the same time, the controller retains the right to reject these third parties and terminate the contract if they are unhappy with their appointment.
Have You Put in Place a Sub-Processor Agreement?
A processor must impose identical data protection obligations on sub-processors as specified in the contract between the controller and the processor and ensure that the sub-processor (SP) only processes personal data per the controller’s instructions.
Further, the original processor remains fully liable to the controller for the SP’s performance, necessitating thorough due diligence on them before engagement to ensure the meeting of contractual obligations. As such, parties require formal sub-processor agreements to reflect the obligations to ensure UK GDPR requirements where an SP is engaged.
You should carefully draft sub-processing agreements to accurately reflect the specific data processing agreement and safeguard the initial processor from risk.
In summary, various issues exist when a processor intends to engage an SP. If you require support understanding these obligations, you should seek legal advice from an experienced data protection solicitor.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Key Takeaways
While a data processor appointing third-party sub-processors is common practice, a data processor must consider several critical UK GDPR considerations when engaging an SP. For instance, the processor must ensure it has the authority to appoint a sub-processor to process the controller’s data. Further, the processor must enter into a contractual agreement with the sub-processor, requiring adherence to the same standards and requirements of UK GDPR compliance as assured to the controller.
Furthermore, the processor remains accountable to the controller for the actions of the sub-processor, necessitating thorough due diligence to ensure adequate safeguarding of the controller’s data. While engaging them is common, it also presents significant risks for processors. When a processor is uncertain about its legal obligations regarding sub-processor engagement, seeking legal advice is vital.
If you need advice on UK GDPR compliance or your obligations when appointing a third-party sub-processor, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
