Data subprocessor

A data subprocessor is an entity handling data on behalf of another company, where this other company itself is a data processor.

What is a data subprocessor?

A data subprocessor is a data processor handling data on behalf of a company that is also acting as a data processor. Acting as a subprocessor, the company will have or potentially will get access to the personal data of the data controller’s customers.

A processor might wish to sub-contract all or some of the processing to another processor. This is sometimes referred to as using a ‘subprocessor’, although this term is not taken from the GDPR itself..

An example of a subprocessor could be if a software company delivers HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor. If the HR company uses AWS as a cloud hosting service, AWS would then be the subprocessor of the HR company.

What are the duties of the data subprocessor?

If you are a subprocessor, you will be liable for any damage caused by your processing if you have not complied with the GDPR obligations imposed on processors or you have acted contrary to the controller’s lawful instructions, relayed by the processor, regarding the processing.

Read more about the duties of the processors.

If you are a processor and use a subprocessor to carry out processing on your behalf, you will be fully liable to the controller for the subprocessor’s compliance. This means that, if a subprocessor is at fault, the controller may claim back compensation from you for the failings of the subprocessor.

Is your company a data subprocessor?

These questions can help you determine whether your company is a data processor under GDPR:

  • We are following instructions from a data processor.
  • We do not decide to collect personal data from individuals.
  • We do not decide what personal data should be collected from individuals.
  • We do not decide the lawful basis for the use of that data.
  • We do not decide what purpose or purposes the data will be used for.
  • We may make some decisions on how data is processed, but implement these decisions under a contract with someone else.

Learn more about Privacy Hub →