Registora

Guide / Notifications

Updated 24 May 2026

How to notify customers of a subprocessor change

When you add or replace a subprocessor, GDPR Article 28(2) requires you to give affected customers prior notice and a chance to object before the change takes effect. A clear, dated notice that names the new subprocessor, what it does, and where it processes data satisfies the obligation.

Key facts

  • 01Notice must be sent before the subprocessor change takes effect - notifying after the fact is a violation of GDPR Article 28(2).
  • 02GDPR does not set a fixed notice period. The objection window is whatever your DPA states; 10-30 days is common in commercial agreements, but it is a contractual term, not a statutory number.
  • 03Each notice should identify the subprocessor by name, the purpose and category of processing, the country where data is processed, any transfer mechanism used if outside the EEA, the effective date, and instructions for how to object.
  • 04Under a general-authorisation DPA, a customer's silence after the objection window closes is typically treated as acceptance of the change.
  • 05Keep a dated record of every notification sent and any objections received - compliance buyers and supervisory authorities may ask for this audit trail.
§ I

The obligation in plain English

GDPR Article 28(2) states that a processor must not engage a subprocessor without the controller's prior written authorisation. In practice, most commercial B2B SaaS contracts use a general written authorisation model: the customer (controller) agrees upfront that you may use subprocessors, subject to two conditions - you maintain a current list, and you give prior notice of any additions or replacements so the customer can object before the change takes effect.

The alternative is specific authorisation, where the customer must individually approve each new subprocessor. This is rare in SaaS arrangements because it gives a single customer effective veto power over your infrastructure choices. Unless your DPA explicitly requires it, you are almost certainly operating under general authorisation.

Under general authorisation, the notification step is what makes the change lawful. Skipping it - or sending notice after the subprocessor is already processing data - removes the customer's opportunity to object and puts you in breach of the DPA and the regulation. The obligation is prior notice, not concurrent or retrospective.

§ II

What a good notice must contain

A legally adequate notification is not just “we added a new vendor.” Customers need enough information to evaluate the change and decide whether to object. A well-drafted notice should include:

  • -The subprocessor's name and entity: Full legal name and, where helpful, a brief description of the company.
  • -Purpose and category of processing: What the subprocessor will do with personal data (e.g. transactional email delivery, payment processing, infrastructure hosting) and which categories of data it will handle (e.g. contact details, usage logs, billing information).
  • -Processing location and transfer mechanism: The country or region where data is processed. If the subprocessor is outside the EEA, identify the transfer mechanism (Standard Contractual Clauses, adequacy decision, or equivalent safeguard).
  • -The effective date: The specific date on which the subprocessor will begin processing customer data. This anchors the objection window.
  • -How to object: A clear instruction - a reply-to address, a support ticket link, or a named contact - and the deadline for raising an objection. If your DPA specifies the window, restate it in the notice.
  • -Change type:Whether this is an addition of a new subprocessor, a replacement of an existing one, or a material update to an existing subprocessor's scope.

Keep the notice short and factual. Customers receiving these regularly appreciate predictable formatting over marketing prose.

§ III

Copy-paste email template

The following template can be adapted to your company's style. Replace every bracketed placeholder before sending. The subject line follows a consistent pattern so customers can filter or search their inbox.

Subject: Notice of subprocessor change - [Subprocessor Name] effective [Effective Date]

Dear [Customer Company / Privacy Contact Name],

This notice is provided in accordance with our Data Processing Agreement (DPA) with you
dated [DPA Date].

We are writing to inform you that [Your Company] will engage a new subprocessor to
support the delivery of our services:

  Subprocessor:     [Legal name of the subprocessor, e.g. "Resend, Inc."]
  Purpose:          [Brief description, e.g. "Transactional email delivery - sends
                    system notifications and product updates to your end users on
                    our behalf."]
  Data processed:   [Categories of personal data, e.g. "Email addresses and names
                    of your end users."]
  Processing location: [Country / region, e.g. "United States"]
  Transfer mechanism:  [If outside EEA, e.g. "EU Standard Contractual Clauses (2021)"]
  Effective date:   [Date the subprocessor begins processing, e.g. "2026-07-01"]

This change is classified as: [Addition of a new subprocessor / Replacement of
[Previous Subprocessor Name] / Update to existing subprocessor scope]

Under our DPA, you have the right to object to this change within [N] days of this
notice (i.e. by [Objection Deadline Date]). To raise an objection, reply to this
email or contact us at privacy@[yourdomain.com], referencing "Subprocessor objection
- [Subprocessor Name]".

If we do not receive an objection by [Objection Deadline Date], the change will take
effect as described above.

Our current subprocessor list is published at [https://[your-subdomain].registora.com]
and is updated whenever a change occurs.

If you have any questions, please do not hesitate to contact us.

[Your Name]
[Title]
[Your Company]
[privacy@yourdomain.com]
§ IV

Handling objections and keeping records

If a customer objects within the window your DPA sets, acknowledge it promptly and in writing. Review whether you can accommodate the objection - for example, by routing that customer's data through an alternative subprocessor or delaying the change while you negotiate. If the new subprocessor is essential to service delivery and no workaround exists, explain that clearly and reference the DPA clause that covers termination in this circumstance. Document the entire exchange.

Under a general-authorisation DPA, a customer's silence after the objection deadline is typically treated as acceptance of the change. This is not implied by GDPR itself - it is a contractual mechanism, so confirm your own DPA wording before treating silence as consent.

For your audit trail, record the following for each notification cycle:

  • -The date and time the notice was sent and to which contacts.
  • -The exact content of the notice (or a version-controlled template reference).
  • -Any objections received, when, from whom, and how they were resolved.
  • -The actual date the subprocessor began processing data.

Supervisory authorities and enterprise procurement teams increasingly ask for this record during audits. Keeping it current costs little effort at send-time but is difficult to reconstruct retroactively.

To stay ahead of upstream changes - when your subprocessors add their own sub-vendors - monitor their published lists regularly. Registora tracks the major providers and flags updates daily. You can also audit your current public register to confirm it reflects the latest upstream state. Registora auto-drafts Article 28(2) notices into an approval queue whenever a monitored provider changes, so your team reviews and sends rather than writing from scratch.

FAQ

Frequently asked questions

How much notice do I have to give before adding a subprocessor?
GDPR does not fix a number. Article 28(2) requires prior notice and an opportunity to object, but the length of that window is set by your Data Processing Agreement with each customer. Ten to thirty days is common in commercial DPAs, but you should check your own contracts. If your DPA is silent, give as much notice as practically possible and document your reasoning.
What if a customer objects to a subprocessor change?
You must take the objection seriously. Practically, your options are: (1) do not onboard the new subprocessor for that customer's data, (2) negotiate a workaround, or (3) acknowledge that you cannot continue the service without the subprocessor, in which case either party may terminate the DPA. The right outcome depends on your contract terms. Document all objections and how they were resolved.
Do I need to notify customers when one of my subprocessors adds a sub-subprocessor?
This depends on how your DPA is drafted. If your DPA covers the sub-processor list as of the agreement date and any changes you make to it, upstream additions by your subprocessors do not automatically trigger your notification obligation - the subprocessor's own customers (you, as a controller) would receive that notice. However, if an upstream change means personal data is now processed in a new country or by a new entity in a materially different way, review whether your own privacy policy and register need updating.
Can customers subscribe to subprocessor updates instead of receiving individual emails?
Yes, provided your DPA or terms permit it. Some SaaS companies publish a changelog feed (RSS or email list) and reference it in their DPA as the notification mechanism. This is a convenient approach for customers who manage many vendor relationships. The key requirement is that the subscription channel must be reasonable notice - a buried RSS feed with no proactive push is unlikely to satisfy the spirit of Article 28(2).
Does the notification have to be sent by email?
GDPR does not specify a channel. Email is the most common method because it creates a timestamped record and reaches the customer's designated privacy or legal contact directly. In-app banners or account portal notices may suffice if your DPA references them, but email is the safest default because it gives you a delivery record and puts the obligation on the customer to read it.

This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.

Your turn

Keep your subprocessor register current - automatically.

Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.

Start your register →Audit your site