Skip to content

Do I Need a Controller’s Consent to Engage a Data Sub-Processor?

Table of Contents

The UK General Data Protection Regulation (UK GDPR) sets strict requirements for processing personal data. Under the UK GDPR regime, various rules apply when a processor engages another subprocessor to process a controller’s data. A vital issue is whether the processor can appoint a subprocessor freely or if the controller’s consent is necessary. This article explores whether a processor needs a controller’s permission to engage a subprocessor. 

What is the Difference Between Controllers, Processors and Sub-Processors?

Understanding the differences between controllers, processors, and subprocessors is fundamental to ensuring an organisation understands the complex legal rules governing data processing under the UK GDPR

A controller is an organisation with the authority to determine the purposes and methods of personal data processing. At the same time, a processor undertakes this on behalf of and according to the controller’s instructions. Subsequently, sub-processors are organisations engaged by processors to aid in specific data processing activities on behalf of the controller. For instance, a service provider who is a processor may engage a sub-processor to deliver hosting or cloud services as part of the customer controller’s project. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The UK GDPR imposes significant obligations on controllers to ensure compliance, including selecting processors who can guarantee adequate technical and organisational measures to safeguard data. Understanding this obligation and the parties’ roles in a data processing chain is crucial.

Does a Controller Need to Give Permission for Use of Sub-Processors?

Securing authorisation from the controller is a crucial step under the UK GDPR when engaging subprocessors. This means receiving written permission beforehand for each subprocessor or as general approval. If permission is based on general authorisation, any changes to sub-processors must be communicated to the controller, giving them a chance to object. This is vital for processors to understand. We explore this further below. 

Under the UK GDPR, specific requirements apply to ensure accountability regarding data sub-processors. 

Article 28 of the UK GDPR specifies various conditions for engaging data processors, including the need for a written contract that clearly defines processing activities, types of personal data, data subject categories, and the rights and obligations of both the controller and processor.

Significantly, this article of the UK GDPR dictates that the data processor must obtain prior written authorisation, whether specific or general, before engaging a sub-processor. This highlights the controller’s responsibility for overseeing and being accountable for all processing activities. Ultimately, the controller must be fully informed and retain control over data processing, including when involving sub-processors, to ensure compliance with the UK GDPR.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Can a Controller Give Authorisation for Sub-Processing?

Obtaining authorisation for sub-processors under the UK GDPR is a critical aspect of data processing that requires careful consideration. 

The UK GDPR emphasises transparency, accountability, and protecting individuals’ data. 

When a data controller engages a subprocessor, it must ensure that it complies with the Article 28(2) requirements of the UK GDPR. A processor must also gain authorisation correctly and take various other steps. 

Essential Steps When Appointing a Sub-Processor

Key steps to take as a processor when appointing a sub-processor include the following:

  • ensure the data controller knows the proposed sub-processing arrangement and that what you have agreed upon is documented in your data sub-processing contract. Your contract should specify critical provisions regarding using any pre-approved sub-processor, its role, and its activities. Be prepared to answer questions from the controller about this as part of their due diligence; and
  • ensure that the controller gives written authorisation for use of the sub-processor. This authorisation can either be specific or general. Specific authorisations mean that the controller will need to provide specific approval for each sub-processor you intend to work with, in contrast to general authorisation to work with sub-processors. 

Where authorisation is general, typically, this could involve the controller pre-approving a specific list of potential sub-processors or criteria your business uses to select and appoint sub-processors. 

Where general approval is given, note that you must notify the controller of any sub-processor changes. The controller will have the right to object to any sub-processors you seek to appoint.

The controller will also need assurances regarding the subprocessors’ compliance with the UK GDPR and data safeguarding. Data processors will remain liable to the controller for the actions of the subprocessor. This is why a data subprocessor agreement with a sub-processor is critical. 

Considerations When Appointing a Sub-Processor

Obtaining authorisation for sub-processors under the UK GDPR requires a proactive and transparent approach from processors, who should be willing to engage with controllers and answer their questions. 

Contracts between controllers and large-scale processors often allow processors to choose and appoint sub-processors. Processors usually require this flexibility. 

However, the appointment of subprocessors can also be a heavily negotiated point with controller customers who are particularly concerned about subprocessors accessing their data, for instance, where the data in question is high-risk or sensitive. 

If you require help negotiating terms to appoint sub-processors, you should seek legal advice from a data protection solicitor.

Key Takeaways

Under the UK GDPR rules, processors must obtain written authorisation from controllers before engaging sub-processors. This authorisation can be specific or general for each sub-processor, but the controller retains the right to object to any new appointments. Ultimately, obtaining authorisation from the controller is critical for building trust, maintaining compliance, and safeguarding personal data. 

If you need advice on your obligations when appointing a third-party sub-processor, contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Understanding Your Business’ New Employment Law Obligations

Ensure your business is compliant with the new employment law changes. Register for our free webinar to learn more.
Register Now

A Roadmap to Business Success: How to Franchise in the UK

Learn the formula for successfully franchising your UK business. Register for our free webinar today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times