Subprocessor
A third party engaged by a data processor to carry out specific processing activities on behalf of the data controller.
A subprocessor is any third-party organization that a data processor uses to help fulfill its obligations under a Data Processing Agreement. Under GDPR Article 28(4), processors must obtain prior written authorization from the data controller before engaging subprocessors.
For example, if your SaaS product uses a payment processor, and that processor uses a cloud provider to host infrastructure, you must be aware of and authorize that subprocessing chain. Most GDPR-compliant vendors publish a public list of their subprocessors.
Failure to disclose or authorize subprocessors is a common GDPR compliance gap. Your privacy policy should list key subprocessors and link to a regularly updated subprocessor list.
Generate a GDPR Art. 28(4) policy in 60 seconds
Our AI drafts privacy policies, terms of service, and cookie policies that cover GDPR Art. 28(4) requirements — tailored to your business.