Ch 18.3.5 - Engaging sub-processors

Subcontracting conditions

Where outsourcing forms a chain, Articles 28(2) and (4) set conditions on engaging a sub-processor. The customer must give prior specific or general written authorisation. With general authorisation, the processor must inform the controller of intended additions or replacements and give it an opportunity to object. The processor must flow down the same obligations to the sub-processor, and the main supplier remains liable to the customer for any breach by the sub-processor.

Under Articles 28(2) and (4), the contract between the customer (or a group entity of the controller) and the main supplier must satisfy four conditions when sub-processors are involved.

The customer must give prior specific or general written authorisation for engaging a sub-processor
Where authorisation is general, the processor must inform the controller of any intended addition or replacement of sub-processors and give it the opportunity to object
The processor must impose the same contractual obligations on any sub-processor that apply to it
The main supplier remains liable to the customer for any breach by the sub-processor

Liability does not pass down

Flowing obligations down the chain does not shift the risk: the main supplier remains fully liable to the customer for the sub-processor's performance.

Key terms - quick answers

What is “Articles 28(2) and (4)”?

GDPR provisions regulating when and how a processor may engage a sub-processor and the liability that follows.

What is “General written authorisation”?

Advance permission to use sub-processors, subject to a duty to notify changes and give the controller a chance to object.

What is “Specific written authorisation”?

Permission granted for a named sub-processor or specific engagement.

← Mandatory Article 28(3) contract terms Offshoring and international transfers →