Skip to content

What Is a Data Sub-Processor?

Table of Contents

The UK General Data Protection Regulation (UK GDPR) is the fundamental law in the UK regulating the use of personal data. Under this law, various rules exist for different parties in a data processing relationship. It is common for data processors to engage the assistance of further processors, commonly known as ‘data sub-processors’. However, data processors should note several data protection compliance considerations apply when engaging third-party sub-processors. This article will explore what a data sub-processor is and critical considerations for data processors regarding their use.

What Is a Sub-Processor’s Role?

Understanding the roles of data controllers and data processors within the UK GDPR framework is crucial. This distinction is vital for understanding each party’s role in accountability when processing personal data caught within the scope of the UK GDPR

While data controllers are responsible for determining the purposes and means of processing personal data, data processors process personal data on behalf of the controller. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

A ‘data sub-processor’ is a third party that a data processor engages to assist with personal data processing on behalf of the controller. Data processors typically engage them to process the data controller’s data for specific purposes. 

For example, a data processor may engage a cloud storage provider to store personal data, which it processes on behalf of a data controller customer. In such cases, the cloud storage provider acts as a sub-processor, processing personal data on the controller’s behalf through the data processor’s instructions. 

What Are Some Key Considerations for Sub-Processor Relationships?

If your business processes data as a processor, there are vital issues to note when engaging a third-party subprocessor. 

Three of the critical issues to consider, amongst others, are as follows:

Have You Carried Out Due Diligence?

Appointing a sub-processor is a high risk. Processors should safeguard themselves from liability by conducting detailed due diligence on potential sub-processors to ensure compliance with UK GDPR data processing standards. 

This includes assessing their measures for preventing unauthorised data processing and loss, their technical security procedures, data destruction procedures, internal controls for managing data security risks and employee training.

Processors should precisely document their due diligence efforts, conduct regular audits or reviews, and maintain records of all data categories processed by sub-processors so they are readily available for data protection regulators upon request.

Have You Obtained Authorisation from the Controller?

The UK GDPR imposes strict rules on sub-processors’ engagement by processors, requiring prior written authorisation from the controller, either specific or general.  If granted general authorisation, the processor must notify the controller of any changes, offering the controller the opportunity to object.

For practical purposes, contractual agreements between controllers and processors often grant the processor the authority to appoint sub-processors. At the same time, the controller retains the right to reject these third parties and terminate the contract if they are unhappy with their appointment. 

Have You Put in Place a Sub-Processor Agreement?

A processor must impose identical data protection obligations on sub-processors as specified in the contract between the controller and the processor and ensure that the sub-processor (SP) only processes personal data per the controller’s instructions. 

Further, the original processor remains fully liable to the controller for the SP’s performance, necessitating thorough due diligence on them before engagement to ensure the meeting of contractual obligations. As such, parties require formal sub-processor agreements to reflect the obligations to ensure UK GDPR requirements where an SP is engaged. 

You should carefully draft sub-processing agreements to accurately reflect the specific data processing agreement and safeguard the initial processor from risk.  

In summary, various issues exist when a processor intends to engage an SP. If you require support understanding these obligations, you should seek legal advice from an experienced data protection solicitor. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

While a data processor appointing third-party sub-processors is common practice, a data processor must consider several critical UK GDPR considerations when engaging an SP. For instance, the processor must ensure it has the authority to appoint a sub-processor to process the controller’s data. Further, the processor must enter into a contractual agreement with the sub-processor, requiring adherence to the same standards and requirements of UK GDPR compliance as assured to the controller. 

Furthermore, the processor remains accountable to the controller for the actions of the sub-processor, necessitating thorough due diligence to ensure adequate safeguarding of the controller’s data. While engaging them is common, it also presents significant risks for processors. When a processor is uncertain about its legal obligations regarding sub-processor engagement, seeking legal advice is vital. 

If you need advice on UK GDPR compliance or your obligations when appointing a third-party sub-processor, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards