Personal data rarely stops at your direct vendor. It flows on to sub-processors — the cloud hosts, support tools and providers your vendors rely on — and that hidden chain is a real source of risk. Managing it is an advanced but increasingly important part of GDPR compliance.
This guide explains what sub-processors are, the Article 28 rules on authorisation and flow-down, liability, the link to international transfers, and how to keep your vendor chain visible and controlled.
What a sub-processor is
When your processor (a SaaS tool or cloud service) engages another company to help it process your data, that company is a sub-processor. The chain is common and often invisible: you hand data to a vendor, who hands part of it to their cloud host, support tool or payment provider.
GDPR treats this chain seriously. Article 28 sets out rules for engaging sub-processors, and as the controller, the data ultimately remains your responsibility no matter how far down the chain it travels.
Why sub-processors matter
Every sub-processor is another organisation that can access, lose or mishandle your data — so-called fourth-party risk. A breach at your vendor’s cloud host is still a breach of your data, and you may have to notify regulators and individuals.
Yet sub-processors are often the least visible part of the chain, which is exactly why GDPR builds in rules to keep them controlled and transparent.
Free resource
GDPR Policy Templates
Get sub-processor register and vendor-management templates.
Authorisation is required
A processor cannot engage a sub-processor without the controller’s authorisation. This can be specific (you approve each one) or general (you authorise the use of sub-processors in principle, with the right to be informed of changes and to object).
Most large vendors operate general authorisation, publishing a sub-processor list and notifying customers of additions — but you retain the right to object to a new one.
The flow-down obligation
When a processor uses a sub-processor, it must impose the same data protection obligations on that sub-processor as exist in its own contract with you — through a written agreement. The protections cannot weaken as data moves down the chain.
This “flow-down” is what ensures your data is protected to the same standard whether it sits with your direct vendor or their sub-processor three steps away.
The processor stays liable
Crucially, where a sub-processor fails to meet its obligations, the original processor remains fully liable to the controller for the sub-processor’s performance. Your vendor cannot shrug off a sub-processor’s failing as someone else’s problem.
This gives your direct vendor a strong incentive to choose and manage its sub-processors carefully — and gives you a single accountable party to hold responsible.
The right to object
Under general authorisation, when a processor adds or replaces a sub-processor, it must inform you and give you the chance to object. A genuine objection process — not just a notice you cannot act on — is part of meaningful control.
In practice, objecting can be difficult if the sub-processor is integral to the service, so the real leverage is at vendor selection. Still, the right matters, especially for higher-risk additions.
Due diligence on the chain
Before relying on a vendor, understand its sub-processors: who they are, what they do with your data, where they are located, and how they are secured. Reputable vendors publish this information; reluctance to share it is itself a warning sign.
Pay particular attention to sub-processors that introduce international transfers or that handle sensitive data, as these carry the most risk.
Sub-processors and transfers
Sub-processors frequently sit outside the EU — a US cloud region, an offshore support team. Each such hop is an international transfer that needs a valid mechanism (SCCs or the Data Privacy Framework) and, where relevant, a transfer impact assessment.
So managing sub-processors and managing transfers are closely linked: you cannot assess your transfers properly without knowing your full sub-processor chain.
Handled well, this is one more building block of practical GDPR compliance.
Keep a sub-processor register
The practical tool for control is a register of your vendors and their key sub-processors — what data each handles, where, and under what safeguards. This feeds your Record of Processing Activities and your transfer assessments, and lets you answer questions quickly.
Without such a register, sub-processor risk becomes invisible until something goes wrong.
Monitoring changes over time
Sub-processor chains change: vendors add new tools, switch cloud providers, or acquire others. Build a habit of reviewing sub-processor notifications, reassessing at contract renewal, and re-checking the chain periodically rather than assuming it is static.
A sub-processor that was low-risk last year may have changed its practices or location since.
Your own role as a processor
If you are a processor for your customers, the rules apply to you in reverse: you must obtain authorisation before using sub-processors, flow down obligations, maintain a public sub-processor list, notify customers of changes, and remain liable for your sub-processors’ performance.
Handling this transparently — a clear, current sub-processor list and prompt notifications — is increasingly something enterprise customers expect before they buy.
Common pitfalls
Typical failings include having no visibility of sub-processors, accepting general authorisation with no real objection process, ignoring the transfers that sub-processors introduce, and not updating your records when chains change. Each leaves risk hidden in the supply chain.
The fix is visibility and routine: know your chain, keep a register, and review it.
How ISpectra helps
Managing sub-processors and vendor chains is an advanced but increasingly scrutinised part of GDPR compliance. ISpectra Technologies helps organisations map their sub-processor chains, assess fourth-party and transfer risk, build sub-processor registers, and put proper authorisation, flow-down and objection processes in place — both as a controller and as a processor.
If you cannot currently name your vendors’ sub-processors, a supply-chain review is a sensible next step.
In one paragraph
A sub-processor is a company your processor engages to help handle your data — the next link in the chain, and a source of fourth-party risk. Under Article 28, a processor may only use sub-processors with the controller’s authorisation (specific or general with a right to object), must flow down the same data protection obligations, and remains liable for the sub-processor’s performance. Because sub-processors often introduce international transfers, managing them links directly to your transfer compliance. Keep a register of your vendors and their sub-processors, review changes, and — if you are a processor yourself — maintain a transparent sub-processor list for your customers.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
The 4th-party blind spot
Most organisations have a reasonable handle on their direct vendors but a genuine blind spot beyond them. You signed a contract with your CRM provider, but did you check who they rely on to send emails, store backups, or run analytics? That second tier — your fourth parties — can hold or touch your customers’ data without ever appearing in your own contracts, and a failure there lands on you all the same. High-profile breaches have repeatedly originated not at the household-name vendor but at a small sub-processor several steps removed.
Closing this blind spot does not require auditing the entire internet. It requires a proportionate, risk-based view: for your most important vendors and your most sensitive data, insist on a current sub-processor list, understand where the data physically goes, and confirm the safeguards. For lower-risk relationships, a lighter touch is fine. The goal is simply to replace “we have no idea” with “we know our chain and the risks in it” — which is exactly the position a regulator, an enterprise customer, or your own incident-response team will expect you to be in when something goes wrong.