What is Sub-processor? 

Sub-processor – a processor that makes up a part of a larger processor. Contractual requirements between a processor and sub-processor stay the same as between the data controller and the processor.

Sub-processors are third parties engaged by a Data Processor to assist with processing personal data on behalf of the Data Controller. In other words, when a Data Processor needs additional help to fulfill its obligations, it may hire or contract another party to perform some of the processing activities. This third party is referred to as a Sub-processor.

Key Points about a Sub-processor:

1. Delegated Processing: The Sub-processor processes personal data under the instructions and responsibility of the primary Data Processor, who remains accountable to the Data Controller for the data processing activities.
2. Contractual Obligations: The primary Data Processor must obtain authorization from the Data Controller before engaging a Sub-processor. Additionally, there should be a written contract between the Data Processor and the Sub-processor, outlining the same data protection obligations that apply to the Data Processor, ensuring that the Sub-processor complies with the necessary security and privacy standards.
3. Liability: While the Sub-processor is responsible for adhering to the contractual obligations, the primary Data Processor remains liable to the Data Controller for any breaches or non-compliance by the Sub-processor.
4. Transparency: The Data Controller should be informed about the use of Sub-processors and may have the right to object to specific Sub-processors being used, depending on the terms of the agreement.
5. Data Protection Laws: Under regulations like the GDPR, the involvement of Sub-processors is tightly controlled. The Data Processor must ensure that Sub-processors provide the same level of protection and comply with the same data processing standards as required by the Data Controller.

Example:

Email Service Provider: Suppose a Data Processor (e.g., a marketing company) uses an email service provider to send marketing emails on behalf of a Data Controller (e.g., an online retailer). In this case, the email service provider acts as a Sub-processor, processing personal data (like email addresses) under the guidance of the Data Processor.