Sub-Processor
Third-party processor engaged by a primary processor to perform specific data processing activities
A Sub-processor is a third-party data processor engaged by a primary Data Processor to perform specific processing activities on behalf of a Data Controller. Essentially, it is the "vendor's vendor." For example, if a company (Controller) hires a CRM platform (Processor), and that CRM platform hosts data on Amazon Web Services, AWS is the Sub-processor.
Under GDPR Article 28(2), a processor cannot simply outsource work without permission. The regulation mandates written authorization from the controller before engaging a sub-processor. Authorization can be specific (the controller approves a named vendor) or general (the controller grants broad permission, but the processor must notify the controller of any intended changes, giving the controller the right to object). This "veto power" allows controllers to block the use of sub-processors they deem inadequate.
The "flow-down" principle ensures that data protection does not dilute as it moves down the supply chain. GDPR Article 28(4) requires that contracts between Processors and Sub-processors offer the same level of data protection as the Controller-Processor contract. If the Controller-Processor agreement requires 24-hour breach notification, but the Processor-Subprocessor contract only requires 72 hours, there is a compliance gap that creates liability for the Processor.
Crucially, the primary processor remains fully liable to the controller for the sub-processor's performance. If the sub-processor causes a data breach, the processor cannot disclaim responsibility—the controller pursues the processor, who must then seek recovery from the sub-processor.
The supply chain can extend indefinitely: Controller → Processor → Sub-processor → Sub-sub-processor ("Fourth Party"). The flow-down obligation continues at each level. Common sub-processor categories include infrastructure providers (AWS, Azure, Google Cloud), functionality services (Twilio, SendGrid, Auth0), and analytics platforms (Snowflake, Databricks).
For liability quantification, the number and quality of sub-processors in a supply chain contribute to operational risk. Each additional link in the chain increases the attack surface for data breaches and compliance failures. A vendor with 50+ opaque sub-processors carries higher risk than one with 3 transparent, Tier-1 sub-processors.