What Is A Sub-Processor?

By
Alex Franch
December 6, 2022

What is a sub-processor and how is different from a processor?

To understand what a sub-processor is, we need to understand what is a processor and why do we call some processors sub-processor.

What is a processor?

A processor is someone that processes personal data on behalf of someone else.

Analogy

We have a child a parent and a toy. Let’s imagine that the toy is a personal data. The child is the one that plays with the toy, he has access to they toy and may decide where to store it. However, the parent is the real owner of the toy and they decide what the child can do and can't do with the toy.

In data protection the toy is the data, the child is the processor and the parent in the controller. Meaning the controller sets the rules with which the processor may use the data and the processor follows those rules.

Example: Google Drive

Let’s say you use Google Drive. Google Drive (processor) chooses which servers to store data in, what security measures to put around it but ultimately you decide which data to upload to Google Drive, when to edit it and when to remove it - making you the controller.

Note: to be a processor you don’t need to store personal data, passing through the system or having access to the information also counts. For example, integration tools like Zapier or Integromat are also processors.

How is a sub-processor different from a processor?

Let’s say that Google Drive uses Amazon Web Services to run their servers and Mailchimp to send you an email when someone gives you access to a file. In this scenario Amazon Web Services and Mailchimp are processors to Google Drive.

When we use a processor like Google Drive - we call the processors that they use to give you a service (in this case Amazon Web Services and Mailchimp) sub-processors.

To recap: sub-processors are the processors of your processors

Why do you need to know who your sub-processors are?

If in your company you act as a processor (the majority of SaaS are processors) then you need to have a Data Processing Agreement which is an agreement required by law that lays out your responsibilities and those of the controller.

In this agreement you need to specify who your own processors are, as they will be sub-processors for your customers. You will need to also include: the purpose for which you engage these companies and the countries where the data is being processed.

In our example - in their Data Processing Agreement Google Drive will have:

Sources

https://gdpr.eu/article-28-processor/

Share this post
Alex Franch
Co-Founder & CEO
Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.