A data subprocessor is an entity handling data on behalf of another company, where this other company itself is a data processor.
A data subprocessor is a data processor handling data on behalf of a company that is also acting as a data processor. Acting as a subprocessor, the company will have or potentially will get access to the personal data of the data controller’s customers.
A processor might wish to sub-contract all or some of the processing to another processor. This is sometimes referred to as using a ‘subprocessor’, although this term is not taken from the GDPR itself..
An example of a subprocessor could be if a software company delivers HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor. If the HR company uses AWS as a cloud hosting service, AWS would then be the subprocessor of the HR company.
If you are a subprocessor, you will be liable for any damage caused by your processing if you have not complied with the GDPR obligations imposed on processors or you have acted contrary to the controller’s lawful instructions, relayed by the processor, regarding the processing.
If you are a processor and use a subprocessor to carry out processing on your behalf, you will be fully liable to the controller for the subprocessor’s compliance. This means that, if a subprocessor is at fault, the controller may claim back compensation from you for the failings of the subprocessor.
These questions can help you determine whether your company is a data processor under GDPR: