Top 5 FAQs about sub-processor agreements

1. What is a sub-processor?

A sub-processor is a third party that is engaged by a processor to carry out some, or all, of the processing that the processor has been instructed by a controller to carry out. The terminology used in data protection laws is explained in more detail below:

• Controller - this is the business (or individual) that makes decisions about the processing, by determining the purpose and the means of the processing. The controller exercises overall control over the personal data being processed and is ultimately in charge of and responsible for the processing.

• Processor - a processor is the business that has been appointed to act on behalf of the controller. Processors serve the controller’s interests when processing, rather than their own. Although a processor may make its own day-to-day operational decisions, it should only process personal data in line with the controller’s instructions.

• Sub-processor - a processor sometimes sub-contracts all or some of the processing to another processor. The party that the processing is subcontracted to is known as a sub-processor.

So let’s find out how it could work in practice - a fashion retailer may engage a website developer to build and host an e-commerce website. The website will collect and process customers’ personal data when they make purchases via the online shop, which will be hosted via the cloud. That website developer may outsource the cloud hosting element of its service to a third party. In this scenario, the different parties would have the following roles: fashion retailer = controller, website developer = processor and cloud hosting provider = sub-processor.

2. What is a sub-processor agreement?

A sub-processor agreement is a contract between a processor and a sub-processor. It will cover the extent of the processing to be carried out by the sub-processor, as well as the legal terms that apply to the relationship.

It is also important that the sub-processor agreement reflects the terms of the contract in place between the controller and processor (usually called a Data Processing Agreement or DPA). There is often a term in the DPA that expressly states that the terms of the contract between the processor and any sub-processor (the sub-processor agreement) must mirror the terms of the DPA.

To ensure consistency, Docue’s data processing agreement template can be used for both controller-processor and processor-sub-processor relationships. This way you can ensure that all relevant terms are flowed down into your sub-processor agreement.

3. When do I need to use a sub-processing agreement?

A sub-processing agreement should be put in place whenever any personal data is being shared between a processor and a sub-processor, whether it is being shared by the processor directly or from the controller. It is a requirement of Article 28(4) of the UK GDPR that, where a processor engages another processor (a sub-processor) to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract between the controller and the processor must be imposed on (or flowed down to) that sub-processor.

Find out more about when a sub-processing agreement may be needed by your business here.

4. What does the sub-processor agreement need to include?

The terms of the sub-processor agreement must reflect the terms that are in the contract between the controller and processor, so that all obligations on the processor are ultimately flowed down to the sub-processor.

Contracts between controllers and processors (and therefore processors and sub-processors) must contain certain mandatory clauses that are set out in Article 28(3) of the UK GDPR. Check out our handy checklist to find out more about what clauses should be included in your data processing agreement/sub-processor agreement.

5. Can I share personal data with a sub-processor without a sub-processor agreement?

No, sharing personal data with a sub-processor without a sub-processor agreement being in place will be a breach of data protection law.

Docue’s data processing agreement includes the option for it to be used as a sub-processor agreement by simply selecting the “processor to sub-processor” option at the start of the contract creation process - the sub-processor agreement template contains all the mandatory clauses needed to have a contract that is compliant with data protection laws.

Sign-up now to use Docue's data processing agreement template.