Does GDPR require 30 days’ notice for a subprocessor change?

No. Article 28(2) requires a processor operating under general written authorisation to inform the controller of any intended addition or replacement of subprocessors and to give the controller the opportunity to object. It does not specify 30 days, or any other number. The 30-day figure people cite is a contractual norm, not a statutory rule - it comes from how many vendors chose to write their DPAs, not from the regulation itself.

So where did "30 days" come from?

From the market, not the law. When major cloud and SaaS vendors drafted their standard DPAs, many settled on a 30-day notice window as a reasonable default, and because those DPAs are so widely used, the number propagated until it felt like a rule. Some vendors use 10 days, some 14, some longer; a few use a shorter window with an expedited objection process. The consistency is an artifact of copying common templates, not a legal floor.

What does the law actually require, then?

Two things: prior notice of the intended change, and a genuine opportunity for the controller to object before it takes effect. The EDPB’s guidance is that the contract should set the timeframe for approval or objection, and that if the controller does not object within the agreed window, that can be treated as authorisation. The substance the law cares about is that the notice is genuinely prior and the objection right is genuinely usable - a one-day window on a major change would not satisfy that, regardless of what the contract said.

What notice period should I put in my DPA?

Choose deliberately and make it workable for both sides. A period in the range commonly seen - often 14 to 30 days - is defensible and matches buyer expectations, but the right answer is the one you can actually meet every time and that gives your customers a real chance to assess and object. Whatever you pick, define it explicitly in the DPA, describe how notice is given, and state what happens if the controller objects. A vague "reasonable notice" invites disputes; a concrete period you reliably honour does not.

If 30 days isn’t mandatory, can I just edit my page silently?

No - that is the real risk hiding behind the myth. The danger is not missing a magic number; it is failing to give prior notice and an objection window at all. A silent edit to your subprocessor page does not satisfy Article 28(2), no matter how current the page is, because the controller never got the chance to object before the change took effect. The page is the record; the notification is the obligation.

Guide / Notifications

Updated 25 May 2026

The 30-day subprocessor notice is a myth

A widespread belief holds that GDPR requires 30 days’ notice before a subprocessor change. It does not. Article 28(2) requires prior notice and a genuine right to object, but it names no number of days - the timeframe is whatever your Data Processing Agreement sets. This guide explains where the 30-day idea came from, what the law actually requires, and how to choose a defensible notice period.

Key facts

01GDPR Article 28(2) requires a processor under general authorisation to inform the controller of subprocessor changes and give it the chance to object - but it specifies no fixed number of days.
02The "30 days" figure is a contractual convention, popularised by major vendors’ DPAs - not a statutory requirement.
03The EDPB’s position is that the DPA should define the notice timeframe, and that failure to object within it can count as authorisation.
04What the law actually requires is prior notice and a meaningful opportunity to object before the change takes effect - the period must be long enough to make the objection right real.
05The number that binds you is the one written in your own DPA; pick it deliberately and then actually meet it.

§ I

The myth

Ask around about subprocessor changes and you will hear the same thing repeated as fact: “GDPR requires 30 days' notice.” It is in countless blog posts, sales decks, and internal compliance wikis. It is also wrong. GDPR sets no fixed notice period for subprocessor changes - not 30 days, not any number.

The myth is not harmless. Teams either chase a number the law never set while missing the obligation that it did, or they assume that because they have not heard from a provider in 30 days everything is fine. Both miss what Article 28 actually asks for.

§ II

What Article 28(2) actually says

Under general written authorisation, Article 28(2) requires the processor to do two things when it intends to add or replace a subprocessor:

-Inform the controller of the intended change - actively flag it, in advance, not bury it in a page edit.
-Give the controller the opportunity to object before the change takes effect.

That is the whole requirement, and notice the absence: no number of days appears anywhere in it. The regulation describes a mechanism- prior notice plus a real objection right - and leaves the timing to the parties. The EDPB has been explicit that the contract should set the timeframe for approval or objection, and that a controller's failure to object within that agreed window can be treated as authorisation.

§ III

Where the 30 came from

If the law never said 30, why does everyone believe it? Because the market said it. When the large cloud and SaaS vendors wrote their standard Data Processing Agreements, many of them picked a 30-day notice window as a sensible default. Those DPAs are signed by hundreds of thousands of companies, so the number spread by repetition until it hardened into folklore.

In reality the periods vary. Plenty of vendors use 14 days; some use 10; some use longer windows for material changes; a few pair a short window with an expedited objection process. The apparent consensus on 30 is an artifact of everyone copying similar templates - useful as a benchmark, but not a legal floor or ceiling.

§ IV

How to set a notice period that holds up

Since the number is yours to choose, choose it deliberately:

-Pick a period you can always meet. A window in the commonly-seen 14-to-30-day range is defensible and matches buyer expectations - but the best period is the one you honour every single time, because a missed self-imposed deadline is worse than a modest one met reliably.
-Make the objection right real. The window has to be long enough for a customer to actually assess the new subprocessor and respond. A token period on a significant change does not satisfy the law even if the contract permits it.
-Write it down precisely.Define the period in your DPA, state how notice is given, and say what happens if the controller objects. “Reasonable notice” invites disputes; a concrete, honoured period does not.

And keep the real obligation in view. The risk the myth obscures is not picking the wrong number - it is giving no prior notice at all. A silent edit to your subprocessor page never satisfies Article 28(2), because the controller never got the chance to object. The notification is the obligation, not the page edit.

FAQ

Frequently asked questions

Does GDPR require 30 days’ notice for a subprocessor change?: No. Article 28(2) requires a processor operating under general written authorisation to inform the controller of any intended addition or replacement of subprocessors and to give the controller the opportunity to object. It does not specify 30 days, or any other number. The 30-day figure people cite is a contractual norm, not a statutory rule - it comes from how many vendors chose to write their DPAs, not from the regulation itself.
So where did "30 days" come from?: From the market, not the law. When major cloud and SaaS vendors drafted their standard DPAs, many settled on a 30-day notice window as a reasonable default, and because those DPAs are so widely used, the number propagated until it felt like a rule. Some vendors use 10 days, some 14, some longer; a few use a shorter window with an expedited objection process. The consistency is an artifact of copying common templates, not a legal floor.
What does the law actually require, then?: Two things: prior notice of the intended change, and a genuine opportunity for the controller to object before it takes effect. The EDPB’s guidance is that the contract should set the timeframe for approval or objection, and that if the controller does not object within the agreed window, that can be treated as authorisation. The substance the law cares about is that the notice is genuinely prior and the objection right is genuinely usable - a one-day window on a major change would not satisfy that, regardless of what the contract said.
What notice period should I put in my DPA?: Choose deliberately and make it workable for both sides. A period in the range commonly seen - often 14 to 30 days - is defensible and matches buyer expectations, but the right answer is the one you can actually meet every time and that gives your customers a real chance to assess and object. Whatever you pick, define it explicitly in the DPA, describe how notice is given, and state what happens if the controller objects. A vague "reasonable notice" invites disputes; a concrete period you reliably honour does not.
If 30 days isn’t mandatory, can I just edit my page silently?: No - that is the real risk hiding behind the myth. The danger is not missing a magic number; it is failing to give prior notice and an objection window at all. A silent edit to your subprocessor page does not satisfy Article 28(2), no matter how current the page is, because the controller never got the chance to object before the change took effect. The page is the record; the notification is the obligation.

This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.

Your turn

Keep your subprocessor register current - automatically.

Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.

Start your register →Audit your site