GDPR Sub-Processor Obligations In The UK

If you use cloud tools, outsourced IT, payroll services or marketing platforms, there’s a good chance your suppliers use their own suppliers. Under UK GDPR, those “suppliers of your suppliers” are often sub-processors - and mishandling them is one of the fastest ways a compliant setup can come unstuck.

The good news? With the right contracts, checks and ongoing controls, managing sub-processors is straightforward. In this guide, we’ll unpack what a GDPR sub-processor is, when you need permission to use one, what your contracts must say, and a practical checklist to keep your business protected from day one.

What Is A GDPR Sub-Processor?

Let’s quickly anchor the roles under UK data protection law (UK GDPR and the Data Protection Act 2018):

• Controller - decides why and how personal data is processed. Most small businesses are controllers for their customers’ and employees’ personal data.
• Processor - processes personal data on behalf of a controller (for example, your cloud CRM provider running your customer database).
• Sub-processor - a processor engaged by another processor to carry out specific processing activities on the controller’s behalf (for example, your CRM provider’s cloud hosting partner).

Why does this matter? Because if you are the controller, you must ensure your processors and their sub-processors meet UK GDPR standards. And if you act as a processor for a client (common for agencies, IT providers or SaaS businesses), you can’t appoint a sub-processor without the controller’s prior written authorisation and must flow down the same obligations.

Do You Need Permission To Use A Sub-Processor?

Yes, if you are a processor. Article 28 UK GDPR requires that a processor only uses sub-processors with the controller’s prior written authorisation.

There are two common approaches to authorisation in your contract:

• Specific authorisation - the controller must pre-approve each new sub-processor in writing before you appoint them.
• General authorisation - you maintain a list of approved sub-processors and notify the controller of changes, giving them a chance to object within a set period (for example, 15 or 30 days).

Both options are lawful. General authorisation with robust notice and objection rights is practical for growing businesses that may add or swap vendors.

If you are the controller, you should ensure your processor needs your approval before engaging sub-processors and that you have clear rights to audit, object or exit if risks are unacceptable.

How To Vet And Appoint A Sub-Processor

Whether you’re a controller choosing a processor or a processor selecting a sub-processor, the due diligence steps are similar. Aim for evidence, not promises.

1) Map The Data And Purpose

• Identify the personal data categories the sub-processor will handle (names and emails? payment data? special category data?).
• Define the processing purpose and your lawful basis (e.g. performance of a contract, legitimate interests, consent, etc.).
• Check if any data will leave the UK (or UK and EEA) and what transfer safeguards will apply.

2) Assess Security And Compliance

• Review security certifications (ISO 27001, SOC 2), penetration testing summaries and security whitepapers.
• Ask about encryption in transit/at rest, access controls, MFA, logging and segregation of environments.
• Understand incident detection, escalation and breach notification timelines.
• Confirm how data is deleted or returned at the end of the engagement.

3) Check Policies And Records

• Request privacy documentation that aligns with UK GDPR requirements.
• Verify staff training, confidentiality commitments and background checks appropriate to risk.
• If you process at scale or high risk, consider whether a DPIA (Data Protection Impact Assessment) is needed.

4) Lock Down The Contract

• Make sure you have a written Data Processing Agreement that reflects Article 28 UK GDPR, with clear flow-down obligations to any sub-processor.
• Attach a scope and technical detail in a Data Processing Schedule covering the subject matter, duration, nature, purpose and types of personal data.
• If personal data is shared between independent organisations deciding their own purposes, use a Data Sharing Agreement instead - a different legal relationship from processing on behalf of a controller.

5) Set Up Change Control

• Publish and maintain a live sub-processor list and notify controllers of changes with an objection window.
• Define exit rights if a controller reasonably objects to a new sub-processor and alternatives can’t be agreed.
• Document your vendor risk reviews and keep evidence on file.

What Must Your Contract Say About Sub-Processors?

Article 28 UK GDPR is your roadmap. Whether you are the controller–processor or processor–sub-processor, ensure the following are in place:

• Processing on documented instructions only - including restrictions on further sub-processing.
• Confidentiality - staff and contractors handling personal data are bound by appropriate confidentiality obligations.
• Security measures - implement appropriate technical and organisational measures (think encryption, access controls, resilience and recovery) and be able to demonstrate them.
• Sub-processor appointment conditions - no sub-processor without prior authorisation; obligations must be “flowed down” via a written contract mirroring Article 28 requirements.
• Data subject rights assistance - assist the controller with access, deletion and portability requests within required timelines.
• Assistance with compliance - including security, breach notifications, DPIAs, and ICO engagement.
• Deletion or return - at the end of services, delete or return personal data unless law requires retention.
• Information and audits - provide information or submit to audits to demonstrate compliance.
• International transfers - if data leaves the UK, specify the transfer mechanism (e.g. UK IDTA or UK Addendum to EU SCCs) and ongoing transfer risk assessments.

Also build the surrounding privacy framework. As the controller, publish a clear, accurate Privacy Policy that explains who processes data for you and why, and put a compliant Cookie Policy in place if you use cookies or similar technologies.

International Transfers And Sub-Processors

If a sub-processor stores or accesses personal data outside the UK, you need a lawful transfer mechanism. Common routes include:

• Adequacy regulations - transfers to countries the UK has deemed adequate (e.g. EU/EEA, some others) can proceed without extra safeguards.
• International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs - standard contracts that, with a transfer risk assessment, provide appropriate safeguards to third countries.
• Derogations - narrow exceptions (e.g., explicit consent) for occasional, specific transfers. These are not a strategy for routine transfers.

Best practice is to standardise transfer documentation for all relevant vendors, include transfer language in your processing contracts, and keep your records of processing activities (RoPA) updated with where data actually goes in practice.

Managing Sub-Processors In Common Small Business Scenarios

Cloud CRM Or Marketing Platforms

Typical stack: CRM + email marketing + analytics + cloud storage. Expect multiple sub-processors. Review each provider’s sub-processor list, ensure you receive change notifications, and document opt-out rights. Clarify whether they track data for their own purposes (which may make them a controller for some activities) versus acting purely as your processor.

Outsourced IT And Managed Service Providers (MSPs)

MSPs often use ticketing tools, remote monitoring, backups and third-party field engineers. Lock in specific security standards, breach notification timelines and approval processes before any sub-processing begins. For high-risk environments, consider a right to review penetration test outcomes or a minimum control set (e.g., CIS benchmarks).

Payroll And HR Vendors

HR systems may process special category data (e.g., health information for sick leave). Ensure lawful basis is clear, additional safeguards are implemented and sub-processors are limited to what’s necessary. Agree robust deletion and offboarding processes when employees leave and when you change providers.

International Team And Collaboration Tools

Tools may replicate data globally. Confirm regional hosting options, administrator controls to restrict transfers where possible, and that the IDTA or Addendum is in place if data is accessed from outside the UK. Keep a simple log of where each key tool stores data to speed up DPIAs and audits.

Breach, Requests And Ongoing Compliance: Keeping Control Over Time

Once the contracts are signed, the job isn’t done. Build a routine cadence to monitor sub-processors and respond to issues quickly and lawfully.

Incident Response

• Make sure your vendors notify you without undue delay if they suffer a personal data breach. Align timelines with your own Data Breach Response Plan so you can assess risk and, if required, notify the ICO and affected individuals on time.
• Agree which party drafts notices to affected individuals and the ICO, and how the facts will be verified before release.
• Require post-incident reports and remediation plans, not just notifications.

Data Subject Requests

• Ensure processors and sub-processors can help you respond to access or deletion requests quickly - your legal deadlines are tight. Build response timelines into your contracts and service levels.
• Have a clear internal process for subject access request deadlines and who contacts which vendors for which data sets.

Retention And Deletion

• Set retention rules in your processing schedule and verify that your vendors can implement automated deletion once data is no longer needed.
• Document your approach to archival data, backups and legal holds - and make sure sub-processors follow suit. If you’re planning your retention periods, start with clear guidance on how long you should keep personal data.

Governance And Review

• Maintain a live vendor and sub-processor register with risk ratings and next review dates.
• Schedule annual reviews of key vendors’ security and privacy posture and re-test breach notification flows.
• Ensure your public-facing notices (for example, your Privacy Policy and Cookie Policy) reflect current practice.
• Confirm your ICO registration status and whether any ICO fee exemptions apply or if renewal is due.

Controller Vs Processor: Which One Are You?

Many small businesses wear more than one hat. You can be a controller for your own customers’ data and a processor for a client’s data at the same time. Getting this wrong often leads to contract mismatches and compliance gaps.

• Signs you’re a controller: You decide why the data is collected and how it is used (e.g., you market to your own customers, set retention periods, choose analytics tools).
• Signs you’re a processor: Your client tells you what to collect, you only process it to deliver their service, and you don’t re-use the data for your own independent purposes.

When acting as a processor, your contracts should mirror Article 28 and include strict rules about sub-processors. When acting as a controller, insist on those protections from your vendors and make sure you can approve or object to their sub-processor choices.

Practical Contract Tips That Save Headaches Later

• Be precise about scope - list the exact processing activities in a schedule. Vague wording creates ambiguity when sub-processors change.
• Use layered documents - a master services agreement plus a Data Processing Agreement and Data Processing Schedule helps you update processing details without renegotiating the entire deal.
• Include clear change notices - specify how you will notify sub-processor changes (email, dashboard, RSS feed) and the objection mechanism.
• Set minimum security standards - reference concrete controls (MFA, encryption, access logs, vulnerability management) and certification obligations.
• Define exit and transition support - require orderly handover to a replacement vendor and verified deletion of data (including backups where feasible).
• Keep it proportionate - tailor obligations to the risk and data sensitivity. Overly onerous terms can backfire if vendors won’t agree.

Common Mistakes To Avoid

• Assuming your vendor is “just a tool” - if they can access personal data, they’re usually a processor and must meet UK GDPR standards.
• Not flowing down obligations - your sub-processor contract must impose the same data protection duties you owe the controller.
• Forgetting overseas access - remote support teams or data replication can trigger international transfers even if primary hosting is in the UK.
• No change control - without notice and objection rights, you may inherit risk if your provider silently swaps to a riskier sub-processor.
• Weak breach coordination - delays at the sub-processor level can push you past legal reporting timelines. Align notification deadlines contractually.
• DIY legal documents - generic templates often miss UK-specific requirements or international transfer safeguards. Get your documents tailored to your stack and risk profile.

Key Takeaways

• A GDPR sub-processor is a processor engaged by another processor - you must authorise them in writing and ensure their obligations mirror Article 28 UK GDPR.
• Use a robust contract stack, including a Data Processing Agreement and Data Processing Schedule, and a Data Sharing Agreement when organisations act as independent controllers.
• Vet sub-processors with evidence: security controls, certifications, breach processes, deletion practices and international transfer safeguards.
• Build operational controls: live sub-processor lists, change notifications and objection rights, regular reviews, and tested incident response.
• Plan for requests and retention: align vendors to your SAR timelines, deletion routines and published notices like your Privacy Policy and Cookie Policy.
• If data leaves the UK, document the transfer mechanism (IDTA or UK Addendum), conduct transfer risk assessments and keep records up to date.

If you’d like help drafting or reviewing your processor and sub-processor contracts - or setting up practical governance that fits your tech stack - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.