VND-003 Sub-Processor Management
Description
A current register of all sub-processors (vendors who process personal data on behalf of the organisation as a processor) is maintained. Customers are notified of intended sub-processor changes with sufficient notice to object. Sub-processors are bound by data processing obligations equivalent to those owed to the controller. Sub-processors are subject to due diligence before engagement.
Rationale
Uncontrolled sub-processing chains are a material GDPR risk and a customer trust issue. SaaS providers acting as processors must disclose and control their sub-processor chain.
Framework Mappings (5)
| DSP-13 | Personal Data Sub-processing | full |
| DSP-14 | Disclosure of Data Sub-processors | full |
| GDPR-Art.28.2 | Sub-processor Authorisation and Control | full |
| GDPR-Art.29 | Processing Under Controller Authority | partial |
| A.10.2 | Allocating responsibilities | partial |
Evidence (2)
Current sub-processor register listing all third parties who process personal data on behalf of the organisation in its role as a data processor.
Example: Published sub-processor list (company trust page or customer-facing documentation) and internal sub-processor register — listing each sub-processor with: name, role, data categories processed, processing location, DPA status, and notification sent date for any additions in the last 12 months
Test: Request the sub-processor register. Verify: (1) a complete and current list exists covering all vendors who handle personal data in a processing capacity, (2) processing location and data categories are documented for each, (3) a DPA is in place with every listed sub-processor, (4) the list is published or made available to customers, (5) addition notifications to customers are evidenced for any sub-processors added in the last 12 months.
Sub-processor agreements or DPA flow-down documentation confirming that sub-processors are bound by equivalent data protection obligations.
Example: Executed DPAs between the organisation and its sub-processors (e.g. AWS DPA, Stripe DPA) — demonstrating that processing obligations from the controller's DPA are flowed down, including: processing instructions, data subject rights assistance, deletion obligations, security requirements, and prohibition on further sub-processing without approval
Test: Request DPAs for the top 5 sub-processors. Verify: (1) DPA obligations are materially equivalent to those imposed on the organisation by its customers, (2) sub-processors are prohibited from further sub-processing without the organisation's written consent, (3) deletion/return of data obligations are included, (4) DPAs are signed and current.
Questions (2)
Does your organisation maintain a current register of all sub-processors, notify customers of intended changes, and ensure sub-processors are bound by data protection obligations equivalent to those owed to the controller?
The sub-processor register should be publicly accessible or available to customers on request. Customer notification of sub-processor changes must occur with sufficient notice for the customer to object.
How does your organisation manage changes to the sub-processor list?
Advance notification with a right to object is the standard expected by enterprise customers and is required under GDPR Art.28.2. A published list without proactive notification is a weaker but common approach — the customer should confirm whether this satisfies their contractual requirements.