What Is a Sub-Processor Under UK GDPR?

If you’re a small business, chances are you rely on other companies to help you run day-to-day operations – things like cloud storage, email marketing, payroll, customer support tools, online bookings, or even outsourced IT.

Under UK GDPR, those “behind the scenes” suppliers can raise an important question: what is a sub processor, and when do you need to care?

The short version is that a sub-processor is usually a supplier your supplier uses to process personal data for you. Even though you may never speak to them, they can still affect your compliance, your risk, and your contracts.

Below, we’ll break it down in plain English, from a small business perspective, with practical steps you can implement right away.

What Is A Sub-Processor (And How Is It Different From A Processor)?

To understand what is a sub processor, it helps to quickly map the main UK GDPR roles:

• Controller: the person or business deciding why and how personal data is processed (often, this is you if you collect customer or employee data).
• Processor: a person or business processing personal data on the controller’s instructions (for example, a payroll provider processing employee data for you).
• Sub-processor: a person or business engaged by a processor to help them process personal data for the controller.

In other words:

You (controller) ➝ hire Supplier A (processor) ➝ Supplier A hires Supplier B (sub-processor)

A Simple Example

Let’s say you run an online store. You use a customer support platform to manage emails and tickets.

• You upload customer contact details and order info into the support platform.
• The support platform is your processor.
• The support platform hosts its servers with a cloud infrastructure provider, and uses a separate analytics tool to monitor performance.
• Those additional suppliers may be sub-processors.

This is why the “sub-processor” concept matters: you may have done due diligence on your direct supplier, but personal data can still flow to other organisations in the chain.

Is A Sub-Processor Always Another Company?

Often, yes – sub-processors are usually third-party companies providing specialist services such as hosting, email delivery, customer messaging, fraud prevention, or backup storage.

However, not every contractor or freelancer your processor uses will automatically be a “sub-processor”. They’re more likely to be a sub-processor where they are engaged to carry out processing activities for your processor (on your behalf) and they handle personal data for that purpose. In some cases, a contractor may instead be treated as personnel under the processor’s direct authority (and covered by confidentiality obligations), rather than a separate sub-processor.

Why Sub-Processors Matter For Small Businesses (The Real-World Risks)

For many small businesses, the biggest compliance risks don’t come from deliberate misuse of data – they come from not knowing where data goes, or not having the right contractual protections in place when suppliers rely on other suppliers.

Understanding what is a sub processor matters because sub-processors can affect:

• Security risk: more organisations handling data can mean more potential weak points.
• International transfers: a sub-processor may store or access data outside the UK, which may trigger additional legal steps.
• Speed of incident response: if there’s a breach at a sub-processor, you’ll want timely notice through the chain.
• Customer trust: if your privacy information is vague or inaccurate, that can create reputational headaches.
• Contractual liability: your processor contract may push certain risks back onto you unless you negotiate carefully.

And importantly, sub-processors aren’t a “big company only” issue. Even a one-person consultancy can be affected if you use tools that rely on other vendors (which is almost all modern software).

Sub-Processors Can Affect Your Privacy Paperwork

If you’re collecting personal data from customers (or staff), you’ll usually need to explain what you’re doing with it and who it may be shared with. This commonly sits in your Privacy Policy.

You don’t always have to list every sub-processor by name in every situation (this depends on your set-up and transparency obligations), but you do need to be accurate and clear about categories of recipients, and you need to be able to stand behind what your suppliers are doing.

Who Is Responsible For A Sub-Processor Under UK GDPR?

This is where many businesses get confused, so let’s keep it practical.

Even though you may not directly appoint the sub-processor, the UK GDPR expects the controller (you) to take appropriate steps to ensure personal data is processed lawfully and securely throughout the chain. At the same time, processors and sub-processors also have their own direct UK GDPR obligations, and can be held accountable for failures in their role.

In broad terms:

• Your processor must not appoint a sub-processor without your authorisation (either specific authorisation or general authorisation, depending on the contract).
• Your processor must have a written contract with the sub-processor that imposes broadly equivalent data protection obligations.
• You (as controller) should put the right contract in place with your processor and carry out proportionate due diligence, because you remain responsible for your processing arrangements and compliance as a controller.

Do You Need A Contract That Covers Sub-Processors?

Yes – if a supplier is processing personal data for you (as a processor), your contract should deal with whether they can use sub-processors and on what terms.

This is typically dealt with in a Data Processing Agreement (often called a DPA – not to be confused with the Data Protection Act 2018).

Getting this right is one of those “set up your legal foundations early” steps. It’s much easier to address sub-processor rules before onboarding a supplier than after you’ve embedded them into your operations.

What If Your Supplier Won’t Negotiate?

Lots of software providers use standard terms. That doesn’t automatically mean you can’t use them, but you should:

• read the data protection clauses carefully (especially the sub-processor section)
• confirm they provide a sub-processor list and a process for updates
• check how they handle international transfers
• make sure they commit to appropriate security measures

If you’re dealing with higher-risk data (for example, health information or vulnerable customers), it’s worth getting tailored advice rather than hoping a “one size fits all” supplier contract covers your risk profile.

How To Manage Sub-Processors: A Practical Checklist For Businesses

Knowing what is a sub processor is one thing. Managing them in a way that’s realistic for a busy small business is another.

Here’s a practical approach you can implement without turning your business into a compliance department.

1) Map Your Data And Your Suppliers

Start by listing:

• what personal data you collect (customers, staff, suppliers, website users)
• where it’s stored (CRM, cloud storage, email inboxes, spreadsheets)
• which suppliers process it for you (hosting, payroll, marketing, booking tools)

This helps you quickly identify which relationships are controller–processor and which are more like controller–controller (for example, some professional advisers may be independent controllers depending on how they operate).

2) Identify Likely Sub-Processor “Hotspots”

Sub-processors appear most often where your processor relies on infrastructure or specialist services, such as:

• cloud hosting and data centres
• email delivery and messaging services
• analytics and monitoring tools
• payment processing infrastructure
• customer support outsourcing

If you’re unsure, ask your processor for their sub-processor list (many publish this online) and check how often it changes.

3) Make Sure Your DPA Covers Sub-Processor Rules

Your agreement with the processor should clearly deal with sub-processors. Common clauses include:

• Authorisation: whether you approve sub-processors in advance (specific) or generally (with notice and an opportunity to object).
• Flow-down obligations: the processor must impose equivalent data protection obligations on the sub-processor.
• Liability and responsibility: the processor remains responsible for the sub-processor’s performance.
• Security: minimum technical and organisational measures, and audit/assurance rights where appropriate.
• Breach notification: timeframes and process for notifying you if something goes wrong.

If you’re putting a proper GDPR Package in place, this is the kind of issue you want handled consistently across your supplier contracts.

4) Keep An Eye On International Transfers

A common “surprise” is discovering that a sub-processor stores data outside the UK (or can access it from another country).

International transfers aren’t automatically prohibited, but they often require extra safeguards. In the UK, this commonly means using an appropriate UK transfer tool (such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses), and carrying out a transfer risk assessment where required.

As a quick practical check:

• Ask where your data is hosted and where it can be accessed from.
• Check what transfer safeguards your processor uses for sub-processors.
• Confirm whether you’ll be notified if the sub-processor list changes (especially if it adds a new overseas provider).

5) Document Your Decisions (Keep It Proportionate)

You don’t need a 50-page report for every software subscription. But you should be able to show you’ve taken reasonable steps.

A simple spreadsheet or supplier register can be enough, noting:

• supplier name and role (processor or controller)
• types of personal data involved
• high-level security assurances (for example, encryption, access controls)
• whether sub-processors are used and where to find the list
• any overseas transfers and safeguards

6) Put Clear Internal Rules In Place For Staff

Sub-processor issues often pop up when staff sign up to new tools without going through a quick compliance check.

Even a short internal rule can help, such as: “Don’t upload customer lists into new software unless it’s approved.” This is often captured in an Acceptable Use Policy.

Common Sub-Processor Scenarios (And How To Handle Them)

Let’s walk through a few situations small businesses commonly face when working out what is a sub processor and what to do about it.

You Use Cloud Storage For Customer And Staff Files

If your business stores personal data in the cloud, your storage provider is likely a processor (if they store it on your instructions). They may use sub-processors for hosting infrastructure, backups, and security monitoring.

Practical steps:

• check your provider’s sub-processor list and update policy
• confirm where data is stored and whether it leaves the UK
• make sure you have a DPA in place

If you want to sanity-check the risks of common cloud set-ups, it can help to think through issues like access controls and international transfers (for example, questions similar to those raised when asking whether Google Drive is GDPR compliant).

You Outsource Marketing (Email Campaigns, Lead Gen, CRM)

If a marketing agency uploads your customer list into their email tool, the agency is usually acting as your processor (or sometimes as a separate controller, depending on how they operate and what they decide). Their email platform may be a sub-processor (again, depending on the structure).

Practical steps:

• clarify roles in writing: who is controller and who is processor?
• ensure there is a DPA if they are processing on your behalf
• confirm what tools they use and whether sub-processors are involved

If data is being passed between multiple parties for a defined purpose, a Data Sharing Agreement may be relevant where parties are controllers in their own right (the right approach depends on the facts, so this is a good point to get tailored advice).

You Use AI Tools In Your Business

AI tools can complicate supplier chains quickly, because they may rely on multiple vendors for model hosting, monitoring, and content filtering.

If staff are uploading personal data into an AI tool, you’ll want to understand:

• whether your inputs are used to train models
• how long prompts/outputs are retained
• who the sub-processors are
• whether data is transferred overseas

It’s worth building this into your internal process for approving new tech, especially as guidance and expectations evolve (including issues like those discussed in ChatGPT GDPR considerations).

You Hire An IT Support Company

If an IT provider has admin access to devices, email accounts, or cloud storage, they may be processing personal data (even if it’s incidental to their main job). They may use sub-contractors or third-party tools to remotely manage devices.

Practical steps:

• limit access to what’s needed (least privilege)
• ensure confidentiality commitments are in place
• check whether they use sub-contractors and on what terms

Key Takeaways

• A good working definition of what is a sub processor is: a supplier engaged by your processor to help process personal data on your behalf.
• Sub-processors matter because they can introduce additional security risk, international transfer issues, and slower breach response times if the chain isn’t managed properly.
• Even if you never deal with the sub-processor directly, you should make sure your contract with the processor clearly controls sub-processor appointment, flow-down obligations, and responsibility.
• A well-drafted Data Processing Agreement is usually the key document for managing sub-processor rules under UK GDPR.
• Keep your approach practical: map suppliers, review sub-processor lists, watch for overseas transfers, document decisions, and use internal policies to stop “shadow IT” sign-ups.
• If you process higher-risk data (or rely heavily on tech suppliers), getting tailored legal help early can save a lot of time and headaches later.

If you’d like help putting the right contracts and GDPR documentation in place (including processor and sub-processor arrangements), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.