Subprocessor
A third party engaged by a data processor to carry out specific processing activities on behalf of the data controller.
A subprocessor is any third-party organization that a data processor uses to help fulfill its obligations under a Data Processing Agreement. Under GDPR Article 28(4), processors must obtain prior written authorization from the data controller before engaging subprocessors.
For example, if your SaaS product uses a payment processor, and that processor uses a cloud provider to host infrastructure, you must be aware of and authorize that subprocessing chain. Most GDPR-compliant vendors publish a public list of their subprocessors.
Failure to disclose or authorize subprocessors is a common GDPR compliance gap. Your privacy policy should list key subprocessors and link to a regularly updated subprocessor list.
Générez une politique GDPR Art. 28(4) en 60 secondes
Notre IA rédige des politiques de confidentialité, des conditions d'utilisation et des politiques de cookies qui couvrent les exigences GDPR Art. 28(4) — adaptées à votre entreprise.