January 17, 2023
To understand what a sub-processor is, we need to understand what is a processor and why do we call some processors sub-processor.
A processor is someone that processes personal data on behalf of someone else.
We have a child a parent and a toy. Let’s imagine that the toy is a personal data. The child is the one that plays with the toy, he has access to they toy and may decide where to store it. However, the parent is the real owner of the toy and they decide what the child can do and can't do with the toy.
In data protection the toy is the data, the child is the processor and the parent in the controller. Meaning the controller sets the rules with which the processor may use the data and the processor follows those rules.
Let’s say you use Google Drive. Google Drive (processor) chooses which servers to store data in, what security measures to put around it but ultimately you decide which data to upload to Google Drive, when to edit it and when to remove it - making you the controller.
Note: to be a processor you don’t need to store personal data, passing through the system or having access to the information also counts. For example, integration tools like Zapier or Integromat are also processors.
Let’s say that Google Drive uses Amazon Web Services to run their servers and Mailchimp to send you an email when someone gives you access to a file. In this scenario Amazon Web Services and Mailchimp are processors to Google Drive.
When we use a processor like Google Drive - we call the processors that they use to give you a service (in this case Amazon Web Services and Mailchimp) sub-processors.
To recap: sub-processors are the processors of your processors
If in your company you act as a processor (the majority of SaaS are processors) then you need to have a Data Processing Agreement which is an agreement required by law that lays out your responsibilities and those of the controller.
In this agreement you need to specify who your own processors are, as they will be sub-processors for your customers. You will need to also include: the purpose for which you engage these companies and the countries where the data is being processed.
In our example - in their Data Processing Agreement Google Drive will have:
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.