Skip to content

What Is a Data Sub-Processing Agreement?

Table of Contents

The UK General Data Protection Regulation (UK GDPR) sets out critical rules around the processing of personal data. Various restrictions apply when a data processor engages an additional sub-processor to handle specific personal data on behalf of a data controller. In particular, the parties will need to enter into a sub-processing agreement to set out the obligations of the data sub-processor to safeguard the controller’s data. This article will explore a data sub-processing agreement and critical issues for processors to consider when entering one. 

What Does It Mean to Appoint a Sub-Processor?

Understanding the roles of data controllers and processors under the UK GDPR is crucial for understanding each party’s legal obligations. 

Data controllers determine personal data processing means and purposes, while processors process data on their behalf. 

A ‘data sub-processor‘ is a third party a processor engages to assist in processing personal data. For example, a processor might use a cloud storage provider that stores a controller’s specific personal data and forms part of the data processing chain. 

Various rules apply when a processor engages a further sub-processor. For example, they can carry out due diligence on the sub-processor, obtain consent to engage them from the controller, and enter into a contractual arrangement with them to ensure the controller has equivalent protection of their data from the sub-processor.

What Is a Data Sub-Processing Agreement?

A processor must extend the same data protection assurances to sub-processors as outlined in the contract between the controller and itself as the initial processor. 

This includes ensuring that sub-processors adhere strictly to the instructions provided by the controller regarding personal data processing. 

It is vital to understand that the original processor retains entire liability to the controller for the actions of the sub-processor. Therefore, thorough due diligence is essential before engaging a sub-processor to guarantee the ability to fulfil contractual obligations and stringent contractual requirements. Accordingly, formal sub-processor agreements must align with UK GDPR rules when engaging sub-processors.

Drafting sub-processing agreements requires careful attention to detail to accurately reflect the specifics of the data processing arrangement and mitigate risks for the initial processor. These agreements are crucial safeguards to uphold compliance and safeguard parties involved in the data processing chain.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Importance of Considering Key Issues

Data sub-processing agreements under the UK GDPR involve several critical considerations that parties must carefully navigate to ensure compliance and protect personal data. 

These agreements are vital for establishing how sub-processors will handle personal data on behalf of data controllers and defining various essential obligations regarding safeguarding data.

From a processor’s perspective, there are several key issues to consider for a data sub-processing agreement. 

Key Issues to Consider Within the Agreement Wording

Some key considerations include the following:

  • agreeing on the scope of services to be provided and the purposes for which the sub-processor may process personal data; 
  • ensuring that sub-processors adhere to the same obligations the processor has promised the controller regarding the use of their data. Essentially, this means ‘flowing down’ terms in which the initial processor has agreed with the controller. In practice, this can be difficult for businesses to implement, particularly with large service providers who act as sub-processors and have their standard processing terms; 
  • sub-processing agreements should include provisions requiring sub-processors to apply appropriate technical and organisational measures to protect personal data and comply with legal obligations. Furthermore, you should establish mechanisms for checking and auditing sub-processors’ compliance to uphold accountability and ensure they are doing what they have promised; 
  • addressing niche issues such as data sharing with further third parties and international transfers is vital, particularly if personal data is transferred outside the UK. In such cases, the agreement must include information about safeguards to ensure data transfers comply with UK GDPR requirements; and
  • considering the implications of liability and indemnity protection in the event of data breaches or non-compliance by sub-processors is also vital. This can be a heavily negotiated area in data processing agreements. 

In summary, data subprocessing agreements require careful attention to detail. They should be niche, reflect the specific data processing activities agreed between the initial data processor and subprocessor, and protect the initial processor from risk. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

By tackling key issues such as roles and accountabilities, data protection standards, and apportionment of liability, data processors can be confident that they have contractual protection and recourse when engaging third-party sub-processors. 

Key Takeaways

Where a processor engages a sub-processor, entering into a robust contractual agreement is vital, ensuring adherence to UK GDPR standards to safeguard the controller’s data.

A processor retains liability to the controller for the sub-processor’s actions, emphasising the importance of contractual protection. Sub-processing agreements should be bespoke and protect the interests of the processor, given the potential liabilities it could incur due to the sub-processor’s actions. As such, processors should seek legal advice if they need clarification about how to draft a sub-processing agreement or the provisions it should contain to protect themselves from risk. 

If you need help with a data sub-processing agreement, contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards