Skip to content
Platform|Embed
ContactAboutNewsReviewsBook a demo
Support
Custom templatesCreate templates in DocueReady-made legal templates150+ lawyer-made UK templatesElectronic signatureEffortless signing in secondsDocue DriveSecure, intelligent contract managementEmbedded Legal EngineEmbed templates into your own softwareEmbedded Sign EngineEmbed signing into your own software
Legal Templates
HubSpotSalesforcePipedriveOther systems
Pricing
SearchLog inBook a demo
PlatformEmbed
HomeLegal TemplatesPricingContactAboutNewsReviews
Book a demo

Already have an account? Sign in

  1. Legal Hub
  2. Top 5 FAQs about sub-processor agreements
0 % read

Top 5 FAQs about sub-processor agreements

FAQ•Last updated 15 Oct 2024
Understanding data protection laws and the requirements for sub-processor agreements can be complex. Find out everything you need to know about sub-processor agreements via the frequently asked questions below.

1. What is a sub-processor?

A sub-processor is a third party that is engaged by a processor to carry out some, or all, of the processing that the processor has been instructed by a controller to carry out. The terminology used in data protection laws is explained in more detail below:

  • Controller - this is the business (or individual) that makes decisions about the processing, by determining the purpose and the means of the processing. The controller exercises overall control over the personal data being processed and is ultimately in charge of and responsible for the processing.

  • Processor - a processor is the business that has been appointed to act on behalf of the controller. Processors serve the controller’s interests when processing, rather than their own. Although a processor may make its own day-to-day operational decisions, it should only process personal data in line with the controller’s instructions.

  • Sub-processor - a processor sometimes sub-contracts all or some of the processing to another processor. The party that the processing is subcontracted to is known as a sub-processor.

So let’s find out how it could work in practice - a fashion retailer may engage a website developer to build and host an e-commerce website. The website will collect and process customers’ personal data when they make purchases via the online shop, which will be hosted via the cloud. That website developer may outsource the cloud hosting element of its service to a third party. In this scenario, the different parties would have the following roles: fashion retailer = controller, website developer = processor and cloud hosting provider = sub-processor.

2. What is a sub-processor agreement?

A sub-processor agreement is a contract between a processor and a sub-processor. It will cover the extent of the processing to be carried out by the sub-processor, as well as the legal terms that apply to the relationship.

It is also important that the sub-processor agreement reflects the terms of the contract in place between the controller and processor (usually called a Data Processing Agreement or DPA). There is often a term in the DPA that expressly states that the terms of the contract between the processor and any sub-processor (the sub-processor agreement) must mirror the terms of the DPA.

To ensure consistency, Docue’s data processing agreement template can be used for both controller-processor and processor-sub-processor relationships. This way you can ensure that all relevant terms are flowed down into your sub-processor agreement.

3. When do I need to use a sub-processing agreement?

A sub-processing agreement should be put in place whenever any personal data is being shared between a processor and a sub-processor, whether it is being shared by the processor directly or from the controller. It is a requirement of Article 28(4) of the UK GDPR that, where a processor engages another processor (a sub-processor) to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract between the controller and the processor must be imposed on (or flowed down to) that sub-processor.

Find out more about when a sub-processing agreement may be needed by your business here.

4. What does the sub-processor agreement need to include?

The terms of the sub-processor agreement must reflect the terms that are in the contract between the controller and processor, so that all obligations on the processor are ultimately flowed down to the sub-processor.

Contracts between controllers and processors (and therefore processors and sub-processors) must contain certain mandatory clauses that are set out in Article 28(3) of the UK GDPR. Check out our handy checklist to find out more about what clauses should be included in your data processing agreement/sub-processor agreement.

5. Can I share personal data with a sub-processor without a sub-processor agreement?

No, sharing personal data with a sub-processor without a sub-processor agreement being in place will be a breach of data protection law.

Docue’s data processing agreement includes the option for it to be used as a sub-processor agreement by simply selecting the “processor to sub-processor” option at the start of the contract creation process - the sub-processor agreement template contains all the mandatory clauses needed to have a contract that is compliant with data protection laws.

Sign-up now to use Docue's data processing agreement template.

Author
Docue's Legal Team

Tags: sub processor agreement template, gdpr sub processor agreement template, sub processor agreement, sub processing agreement, subprocessor agreement.


Related articles

Checklist•Updated 15 Oct 2024
Checklist for ensuring your data processing addendum complies with the UK GDPR
Article•Updated 15 Oct 2024
Everything you need to know about data processing agreements, including the key clauses to include

Related legal templates

Data Processing AgreementData Sharing AgreementPrivacy Notice (Website)

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Features

  • Custom templates
  • Ready-made legal templates
  • Electronic signature
  • Contract management

Service

  • Pricing
  • Reviews
  • Integrations
  • Legal Hub
  • Support

Company

  • About
  • Contact
  • News
  • Solutions
  • Reviews

Other

  • Log in
  • Data Security
  • Privacy Policy
  • Terms of Use
  • Data Processing Agreement

Support site

Instructions for using the service and answers to frequently asked questions: help.docue.com/en

Customer Service

For business customers: support@docue.com

4.5
(142)
Google LogoReviews on Google
ISO logo

ISO/IEC 27001 certified

© 2026 Docue

•
  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • Youtube
Choose country