A subprocessor is an entity that processes personal data on behalf of a data controller. Under the General Data Protection Regulation (GDPR), data controllers are responsible for ensuring that any subprocessing of personal data is done in compliance with the regulation. There are specific requirements and obligations placed on data controllers when using subprocessores.
What is a Data Controller?
First, it is important to understand what a data controller is. Under the GDPR, a data controller is the entity that determines the purposes and means of processing personal data. They have the primary responsibility for compliance with data protection regulations. Some examples of data controllers include:
- Companies that collect data from customers
- Organizations that gather data on employees
- Businesses that obtain and analyze consumer data
- Public authorities that process personal data
Data controllers must ensure that all processing of personal data under their control complies with GDPR principles. This includes implementing appropriate technical and organizational measures, keeping detailed records of processing activities, appointing a Data Protection Officer (DPO) if required, and more.
What is Personal Data?
Before defining what a subprocessor is, it’s also important to understand what constitutes personal data under the GDPR. Personal data refers to any information that can be used to directly or indirectly identify a natural person. This includes:
- Names
- ID numbers
- Location data
- Online identifiers (IP addresses, cookies)
- Financial information
- Biometric data
- Health records
- Political opinions
If an organization processes any personal data, they are likely subject to GDPR requirements and regulations surrounding subprocessing.
Defining a Subprocessor
A subprocessor is a third party that processes personal data on behalf of and under the instructions of a data controller. The GDPR places specific obligations on data controllers when using subprocessors to process personal data. Some examples of potential subprocessors include:
- Cloud computing services
- Data storage providers
- Cloud-based software/SaaS
- IT services companies
- Payment processors
- CRM software providers
- Marketing service providers
- Call center operations
Essentially, any third-party service that handles personal data for a data controller can be considered a subprocessor. The data controller retains full responsibility for the subprocessing activities.
Obligations When Using Subprocessors
Under Article 28 of the GDPR, data controllers have specific obligations when using a subprocessor to process personal data under their control. These obligations aim to protect the rights of data subjects. The main obligations around subprocessing include:
Consent and Authorization
Data controllers are only permitted to use a subprocessor if the processing is authorized under the GDPR. This means:
- The data subject has unambiguously consented
- Processing is necessary for the performance of a contract
- There is a legal obligation requiring processing
- Processing is in the controller’s legitimate interests
Relying on consent alone can be challenging, so data controllers should ensure another lawful basis applies when using a subprocessor.
Written Contracts
Data controllers must have a written contract in place with each subprocessor. This is essential for accountability and governance. Contracts should include:
- Scope and nature of processing
- Duration, purpose, and instructions for processing
- Type of personal data processed
- Rights and obligations of both parties
- Security requirements
- Compliance with destruction/return requests
- Requirement to assist controller in complying with GDPR
- Rules around appointing further subprocessores
Well-written contracts are key to minimizing risks and ensuring GDPR-compliant subprocessing activities.
Due Diligence
Controllers must conduct proper due diligence when selecting a subprocessor. This involves evaluating technical, security, privacy, and commercial practices. Due diligence is required to ensure the subprocessor can provide sufficient guarantees around GDPR compliance.
Transfers Outside the EEA
If a subprocessor will transfer personal data outside of the European Economic Area (EEA), the controller must ensure appropriate safeguards are in place. This may require execution of Standard Contractual Clauses or verification that the country has an adequate level of protection.
Liability
Data controllers retain full liability for subprocessing activities. If a subprocessor violates the GDPR, controllers may face supervisory authority investigations, regulatory fines, reputational damage, and additional liabilities.
Security
Data controllers must ensure subprocessores implement appropriate technical and organizational security measures to protect data. This is critical for upholding the security principle under GDPR.
Record Keeping
Controllers must keep detailed records of subprocessing activities. This includes subprocessores’ names, processing details, data transfers, and more. Thorough documentation is required under the accountability principle.
Appointing Further Subprocessors
The initial subprocessor that a controller engages may subsequently hire another subprocessor to handle certain processing activities. This is known as “further subprocessing.” The GDPR requires that data controllers implement specific rules around further subprocessing.
The contract with the initial subprocessor must state that they cannot engage another processor without prior written consent. Controllers must be notified in advance of any further subprocessing so they can object if needed. Any authorized further subprocessors are also required to follow GDPR regulations.
Processor-to-Processor Transfers
In some cases, a subprocessor may transfer personal data directly to another subprocessor at the instruction of the controller. Even though the controller did not directly initiate this transfer, they are still ultimately accountable for the processing.
These “processor-to-processor” transfers must be documented properly. The controller needs proof that all subprocessores in the chain provide adequate data protection safeguards.
Subprocessors and Data Protection Impact Assessments
Under GDPR, data controllers may be required to conduct a Data Protection Impact Assessment (DPIA) for processing likely to result in high risk. Using a subprocessor itself does not necessarily trigger the DPIA requirement.
However, controllers should assess if the subprocessor’s activities expand the scope of processing in a way that increases risk and requires a DPIA. The details of subprocessing arrangements are important factors to consider during DPIA screening.
Subprocessor Compliance and Audits
To ensure subprocessores are meeting contractual GDPR obligations, data controllers must implement proper oversight programs. This includes regular audits and reviews of subprocessing activities using questionnaires, site visits, progress reports, and benchmarking.
If audits reveal non-compliance, controllers should work with subprocessores on corrective actions. Failure to address compliance issues may require termination of the subprocessing contract.
Subprocessor Transparency
GDPR’s emphasis on transparency means that data controllers should be open with data subjects about their use of subprocessores. This information may need to be disclosed in privacy notices and upon request.
Controllers should be prepared to provide data subjects with details on:
- The categories of subprocessores used
- The types of processing the subprocessores conduct
- The subprocessores’ names and locations
Keeping data subjects informed is key to upholding transparency obligations under GDPR.
Data Subject Rights and Requests
When data subjects exercise rights like access or deletion, data controllers must ensure requests apply to personal data held by any subprocessores. Contracts should include requirements for subprocessores to assist controllers in responding to rights requests.
Subprocessors and Data Transfers
Data transfers outside of the EEA must follow GDPR requirements around adequacy and safeguards. Data controllers must verify subprocessores are not transferring data to non-compliant third countries.
If transfers occur, controllers should ensure valid mechanisms like Standard Contractual Clauses or Binding Corporate Rules are in place.
Subprocessors and Data Breaches
GDPR requires data controllers to report data breaches to supervisory authorities within 72 hours. This applies equally when the breach occurs at a subprocessor.
Contracts must obligate the subprocessor to notify the controller of any breach immediately so controllers can meet GDPR reporting timeframes.
Subprocessor Termination and Succession
Contracts should outline required actions if the subprocessing agreement ends. This includes deletion/return of data and transition assistance for transfer to alternate providers.
For succession planning, GDPR requires subprocessores to make data available to controllers or alternate providers. This facilitates smooth transitions when subprocessing contracts are terminated.
Conclusion
Overall, GDPR creates a robust framework that holds data controllers liable for any subprocessing of personal data under their control. By following requirements around contracts, due diligence, oversight, liability, and transparency, controllers can effectively govern subprocessing activities while minimizing compliance risks.
Subprocessors that adhere to GDPR principles and contractual obligations enable controllers to uphold their data protection responsibilities. But controllers retain full accountability for ensuring compliance across the entire processing lifecycle and data ecosystem.