What Is a Sub-Processor Under UK GDPR?

If your business uses cloud software, outsourced IT support or marketing tools, there’s a good chance sub-processors are handling your customers’ personal data behind the scenes.

That’s not inherently a problem - but under UK GDPR and the Data Protection Act 2018, you have legal duties to control who those sub-processors are, what they do, and how they protect data.

In this guide, we’ll explain what a sub-processor is, why it matters for small businesses, and the practical steps to stay compliant and protected from day one.

What Is A Sub-Processor Under UK GDPR?

Let’s start with the basics. Under UK GDPR, there are three key roles to understand:

• Controller - the business that decides why and how personal data is processed (that’s typically you, if you collect customer data).
• Processor - a supplier that processes personal data on your behalf and per your instructions (for example, an email marketing platform you use to send newsletters).
• Sub-processor - a third party engaged by your processor to help them process the personal data for you (for instance, the email platform’s cloud hosting provider or analytics add-on).

In short: a sub-processor is your supplier’s supplier, and they can still handle your customers’ data. That’s why the law requires oversight and written authorisation.

Two quick clarifications that trip businesses up:

• If a vendor decides their own purposes for data (for example, many payment gateways perform fraud checks and keep their own records), they’re often an independent controller, not a sub-processor.
• “Sub-processor” is about personal data. If the third party doesn’t touch personal data, they’re not a sub-processor in the GDPR sense.

Why Sub-Processors Matter For Your Business

Even if you only contract with one primary supplier, your risk doesn’t end there. Sub-processors can increase your exposure in a few ways:

• Security - more systems and people means more potential breach points.
• Transfers - a sub-processor may store data overseas, triggering international transfer rules.
• Compliance - without the right clauses, you may not have the power to audit, object to changes, or ensure deletion at the end of the contract.
• Reputation - customers will hold you responsible if their data is mishandled, regardless of whose server it was on.

UK GDPR anticipates these risks. Article 28 requires processors to obtain your prior written authorisation before appointing sub-processors, and to flow down the same data protection obligations to them. You’re expected to exercise oversight - not just hope for the best.

Common Examples Of Sub-Processors (And Non-Examples)

To make this real, here are scenarios we see frequently in SMEs:

• Cloud hosting for your CRM - your CRM provider engages a UK or EU data centre (sub-processor).
• Bulk email delivery - your marketing platform uses a specialist mail delivery network (sub-processor).
• Customer support software - your helpdesk tool uses a third-party ticket search/indexing service (sub-processor).
• Managed IT provider - they engage a remote monitoring tool or outsourced helpdesk (sub-processor).

And examples that are typically not sub-processing (they may be separate controllers):

• Payment gateways performing fraud checks and settling funds (often independent controllers).
• Credit reference agencies making their own assessments.
• Couriers that determine their own routing and delivery data retention.

The practical takeaway: check whether a supplier is acting strictly on your instructions about personal data. If yes, any of their downstream helpers are likely sub-processors; if not, you’re probably looking at separate controllers and will need appropriate terms for controller-to-controller sharing.

What Are Your Legal Duties Around Sub-Processors?

As a controller contracting a processor, you must ensure specific protections are in place before any sub-processor gets involved. The essentials include:

1) Written Authorisation To Appoint Sub-Processors

Your contract should only allow sub-processors with your prior authorisation. This can be:

• Specific authorisation - you approve each sub-processor individually; or
• General authorisation - you approve a class of sub-processors, provided the processor notifies you in advance of any change and you have a right to object.

In practice, many suppliers maintain a public “sub-processor list” and commit to notify you of additions with a right to object within a set period. That’s fine - provided it’s clearly written and you actually review those notices.

2) Flow-Down Of Article 28 Obligations

Your processor must impose the same data protection obligations on its sub-processors as you imposed on the processor. This should cover:

• Processing only on documented instructions
• Confidentiality commitments of personnel
• Appropriate technical and organisational security measures
• Assistance with data subject rights and incident response
• Deletion or return of data at end of services
• Audit cooperation and information provision

3) International Transfers

If a sub-processor is outside the UK (or uses servers outside the UK), international transfer rules apply. You’ll need a lawful transfer mechanism, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a transfer risk assessment. Always confirm where data will be stored and accessed - don’t assume “EU-based” tools never back up outside the UK.

4) Security And Breach Management

Ensure your contracts require prompt reporting of security incidents and cooperation so you can meet your own duty to report certain personal data breaches to the ICO within 72 hours, where required. Having a written Data Breach Response Plan is critical so your team and suppliers know exactly what to do under pressure.

5) Transparency To Customers

Your Privacy Policy should explain who you share data with and why, including categories of recipients (e.g., cloud hosting providers, customer support partners). If your tools use cookies or similar technologies, publish and maintain a clear Cookie Policy and use compliant banners.

How To Manage Sub-Processors Step-By-Step

You don’t need a giant compliance team to manage this well. A lightweight, repeatable process will do the job for most SMEs.

Step 1: Map Your Processing And Suppliers

List the personal data you collect (customers, prospects, employees, suppliers) and the systems that touch it. For each system, identify whether the vendor is a processor or a controller. Ask your processors for their current sub-processor list and data residency locations.

Step 2: Put The Right Contracts In Place

You should have a written Data Processing Agreement (DPA) with every processor. This can be a standalone agreement or part of your master services agreement. Include a detailed Data Processing Schedule that sets out scope, types of data, security measures, sub-processor authorisation mechanics, and deletion protocols.

Where you and another business each act as separate controllers but share personal data (e.g., a partner referral arrangement), use a Data Sharing Agreement tailored for controller-to-controller sharing instead - a DPA is not appropriate in that scenario.

Step 3: Approve And Monitor Sub-Processors

Adopt a simple approval process:

• Before onboarding or renewing a processor, review their sub-processor list and data locations.
• Check certifications (e.g., ISO 27001), technical measures (encryption in transit/at rest), and breach history.
• Confirm the contractual right to object to new sub-processors and how you’ll be notified of changes.
• Document your decision (a quick email note or approval log is fine for small teams).

Set a diary reminder to re-check on notice of any sub-processor change. If you genuinely object, you’ll need a fallback plan (e.g., switching plans or suppliers).

Step 4: Manage International Transfers

If any sub-processor stores or accesses data outside the UK, obtain and file the relevant transfer mechanism (IDTA or UK Addendum) from your supplier. Make sure your DPA obliges your processor to keep these instruments up to date and to complete transfer risk assessments when countries or sub-processors change.

Step 5: Prepare For Incidents And Requests

Train your team on what to do if a supplier reports a breach, and who to contact. Your DPA should require immediate notification and cooperation. Also, line up a simple playbook for data subject requests so processors and sub-processors can help meet SAR deadlines if you receive access, deletion or correction requests that touch their systems.

What Good Sub-Processor Clauses Look Like

When you’re reviewing or negotiating a DPA, watch for these practical points:

• Clear authorisation model - specific or general - with advance notice of changes and a meaningful right to object.
• Up-to-date public sub-processor list - accessible URL with versioning and change history.
• Security standards - concrete measures (encryption, access controls, backups, vulnerability management), not vague promises.
• Audit and information rights - a pragmatic right to receive third-party audit reports and to ask reasonable questions; on-site audits only where necessary and with fair limits.
• Deletion/return on exit - data will be fully deleted or returned within a set period, including from backups where feasible.
• Incident cooperation - prompt reporting, timelines, and allocation of responsibilities for communication and remediation.
• International transfers - named mechanisms and obligation to maintain them for every sub-processor.

Many suppliers will point to their standard terms, which is fine if those terms genuinely cover the points above. If they don’t, ask for additions in the DPA or an addendum. It’s much easier to agree this upfront than in the middle of a breach.

How This Fits Into Your Wider UK GDPR Compliance

Managing sub-processors is part of a bigger privacy picture. Alongside robust DPAs and oversight, make sure you’ve covered the basics:

• Publish a clear, accurate Privacy Policy that reflects your actual data flows and recipients.
• If you set cookies or use tracking tools, maintain a compliant Cookie Policy and consent banner.
• Register with the ICO if required and understand any ICO fee exemptions that may apply.
• Document your processing activities and keep them current (what data you collect, where it’s stored, who you share it with).
• Have incident response procedures and a tested Data Breach Response Plan.
• Train staff on phishing, password hygiene and how to escalate privacy issues quickly.

If you’re setting this up for the first time, it can feel like a lot, but once your templates and processes are in place, ongoing maintenance is light-touch.

FAQs Small Businesses Ask About Sub-Processors

Do I Need To List Every Sub-Processor In My Privacy Policy?

You don’t need to name each one, but you do need to be transparent about the categories of recipients (for example, cloud hosting, analytics, communications providers) and the fact that data may be transferred outside the UK where relevant.

Can I Object To A New Sub-Processor?

If your DPA uses “general authorisation,” you should have a right to object within a set period after notice. If you object, work with the processor on alternatives; if none exist, you may need a termination right for the affected service.

What If My Processor Adds A Sub-Processor Without Telling Me?

That’s a red flag. Under UK GDPR, prior authorisation is required. Ask them to halt the change until appropriate authorisation and flow-down clauses are in place. If they refuse, consider switching suppliers.

Do I Need To Audit Sub-Processors Myself?

Not usually. Most SMEs rely on their processor’s due diligence and third-party certifications. Your DPA should give you the right to information and audit reports, and an escalation path for serious concerns.

How Do Sub-Processors Affect Data Subject Rights?

Your processor (and their sub-processors) must assist you in meeting rights requests. Build this into your DPA and keep a simple playbook so you can coordinate quickly and meet SAR deadlines without fuss.

Practical Tips To Stay Compliant Without Slowing The Business

• Standardise your onboarding - make a short checklist for any new tool that processes personal data: DPA signed, sub-processor list checked, data locations confirmed, notices set up.
• Centralise documents - keep signed DPAs, transfer mechanisms and security summaries in one folder so you can find them fast.
• Automate notifications - subscribe to vendors’ sub-processor change feeds or mailing lists and route alerts to the right person.
• Keep your records lean - a one-page data map beats a perfect one that never gets updated.
• Right-size the clauses - push for what’s necessary for risk; avoid gold-plating that vendors won’t accept.

Key Legal Documents You’ll Likely Need

For most SMEs, the following documents form the core of sub-processor compliance and wider privacy hygiene:

• Data Processing Agreement with every processor that handles personal data for you.
• Data Processing Schedule detailing scope, security, sub-processor mechanics and deletion.
• Data Sharing Agreement where you share data with another controller.
• Privacy Policy that accurately describes your data practices and recipients.
• Cookie Policy and compliant cookie banners where tracking technologies are used.
• Data Breach Response Plan so you can act within the 72-hour window if needed.

It’s wise to have these tailored to your exact stack and risk profile rather than relying on generic templates - that way, your contracts match what actually happens with data in your business.

Key Takeaways

• A sub-processor is your processor’s own processor - a third party that handles your customers’ personal data on your supplier’s behalf.
• Under UK GDPR, processors need your prior written authorisation to appoint sub-processors and must flow down the same data protection obligations to them.
• Put a robust Data Processing Agreement and Data Processing Schedule in place with every processor, including clear sub-processor controls and incident cooperation.
• Check data locations and ensure lawful international transfer mechanisms are in place for any overseas sub-processor.
• Be transparent in your Privacy Policy, keep a simple approval-and-monitoring process for sub-processors, and maintain a practical Data Breach Response Plan.
• Stay on top of essentials like ICO fee exemptions and a playbook to meet SAR deadlines with help from your processors.

If you’d like help reviewing your vendor stack, drafting DPAs or setting up a streamlined privacy framework, our team can guide you through it.

For tailored advice, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.