A subprocessor is a third party engaged by a data processor to carry out specific processing activities on behalf of the data controller. Under the GDPR, processors may only engage subprocessors with the prior specific or general written authorisation of the controller. When general authorisation is used, the processor must inform the controller of any intended changes, giving the controller the opportunity to object.
Managing subprocessors is a critical aspect of third-party risk management. Organisations must ensure that subprocessor agreements include the same data protection obligations as the primary processing agreement. Maintaining an up-to-date register of all subprocessors, along with their locations and processing activities, is essential for transparency and for responding to data subject enquiries or supervisory authority requests.