Guides

What is a subprocessor?

A subprocessor is a third party that a processor engages to help process personal data on a controller's behalf - for example Stripe for payments or AWS for hosting. Under GDPR Article 28, they must be disclosed and contractually bound to the same data-protection obligations.

Controller, processor, subprocessor: who is who

GDPR assigns every party in a data flow one of three roles, and the role determines the obligations. A controller decides why and how personal data is processed; a processor acts on the controller’s instructions; a subprocessor is a processor that another processor engages. Getting the role right matters because every Article 28 duty flows from it.

GDPR Article 28, explained

GDPR Article 28 governs the relationship between a data controller and the processors it engages. It requires a written contract (a Data Processing Agreement) with specific mandatory terms, sets the rules for engaging subprocessors, and makes the processor accountable for the whole chain.

The DPA guide: data processing agreements for SaaS

A Data Processing Agreement (DPA) is the written contract GDPR Article 28 requires whenever one party processes personal data on another’s behalf. It fixes the scope of processing, imposes eight mandatory obligations on the processor, governs how subprocessors are used, and is the document enterprise buyers ask for first. This guide covers what a DPA must contain and how a SaaS company handles one in both directions.

How to build a subprocessor page

A subprocessor page is a public list of the third parties your company uses to process customer data. To build one, inventory every vendor that touches personal data, list each with its purpose and processing location, publish it at a stable public URL, and keep it current as your stack and your upstream providers change.

How often do subprocessor lists change?

Upstream subprocessor lists change more often than most teams expect - large providers revise theirs several times a year, and they almost never announce it. That cadence is exactly why a subprocessor page goes stale silently, and why automated monitoring beats a calendar reminder. Here is what the real frequency looks like and what it means for keeping your own register current.

Subprocessors in security questionnaires

Enterprise buyers run security questionnaires before they sign, and the subprocessor section is a common place deals stall. The questions are really checking whether you know your data supply chain, disclose it, bind your vendors contractually, and notify customers when it changes. A current, public subprocessor list answers most of them with a single link.

The EDPB 2026 transparency sweep and the recipient-disclosure prong

On 19 March 2026 the EDPB launched its annual Coordinated Enforcement Framework action, with 25 European data protection authorities examining transparency and the right to be informed under GDPR Articles 12-14. One core requirement they check - disclosing the recipients of personal data - is where your processor and subprocessor list sits.

How to notify customers of a subprocessor change

When you add or replace a subprocessor, GDPR Article 28(2) requires you to give affected customers prior notice and a chance to object before the change takes effect. A clear, dated notice that names the new subprocessor, what it does, and where it processes data satisfies the obligation.

The 30-day subprocessor notice is a myth

A widespread belief holds that GDPR requires 30 days’ notice before a subprocessor change. It does not. Article 28(2) requires prior notice and a genuine right to object, but it names no number of days - the timeframe is whatever your Data Processing Agreement sets. This guide explains where the 30-day idea came from, what the law actually requires, and how to choose a defensible notice period.

The DORA Register of Information, explained

The Register of Information is a structured record of every contractual arrangement an EU financial entity has with its ICT third-party service providers. DORA requires it to be maintained continuously and reported to your regulator in a machine-readable format. It is defined by an EU Implementing Technical Standard and is far more detailed than a GDPR subprocessor list.