What is a sub-processor and how is different from a processor?
To understand what a sub-processor is, we need to understand what is a processor and why do we call some processors sub-processor.
What is a processor?
A processor is someone that processes personal data on behalf of someone else.
We have a child a parent and a toy. Let’s imagine that the toy is a personal data. The child is the one that plays with the toy, he has access to they toy and may decide where to store it. However, the parent is the real owner of the toy and they decide what the child can do and can't do with the toy.
In data protection the toy is the data, the child is the processor and the parent in the controller. Meaning the controller sets the rules with which the processor may use the data and the processor follows those rules.
Example: Google Drive
Let’s say you use Google Drive. Google Drive (processor) chooses which servers to store data in, what security measures to put around it but ultimately you decide which data to upload to Google Drive, when to edit it and when to remove it - making you the controller.
Note: to be a processor you don’t need to store personal data, passing through the system or having access to the information also counts. For example, integration tools like Zapier or Integromat are also processors.
How is a sub-processor different from a processor?
Let’s say that Google Drive uses Amazon Web Services to run their servers and Mailchimp to send you an email when someone gives you access to a file. In this scenario Amazon Web Services and Mailchimp are processors to Google Drive.
When we use a processor like Google Drive - we call the processors that they use to give you a service (in this case Amazon Web Services and Mailchimp) sub-processors.
To recap: sub-processors are the processors of your processors
Why do you need to know who your sub-processors are?
If in your company you act as a processor (the majority of SaaS are processors) then you need to have a Data Processing Agreement which is an agreement required by law that lays out your responsibilities and those of the controller.
In this agreement you need to specify who your own processors are, as they will be sub-processors for your customers. You will need to also include: the purpose for which you engage these companies and the countries where the data is being processed.
In our example - in their Data Processing Agreement Google Drive will have:
Alex Franch is the co-founder and CEO of Privasee. With a background in computer science and cybersecurity, it is no surprise that he is a highly analytical problem solver; now putting these skills to use within the data privacy space. Alex is passionate about GDPR, and productivity and spends a lot of time doing sports as he values the importance of having a work-life balance. He is excited to help businesses generate documentation, and become and maintain GDPR compliance through the Privasee platform.
Get Compliant in <1 Hour
Are you Fully GDPR Compliant?
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.