In our previous article we looked at the difference between data controllers and data processors, and why understanding that distinction matters when deciding who is responsible for personal data.

However, there is another concept that often causes confusion.

Sub-processors.

Many organisations focus on the processor they have a contract with, but do not always consider the other organisations involved in delivering the service.

Understanding who those organisations are, and what role they play, is an important part of managing risk.

Processors rarely work alone

Modern software services rely on a number of different providers working together.

A SaaS company may provide the application you use, but the service might also depend on:

  • cloud hosting providers
  • email delivery services
  • analytics platforms
  • support tools

These additional providers may also have access to the environment where personal data is stored or processed. Where they process personal data on behalf of the controller, engaged by the main processor, the UK GDPR treats these organisations as sub-processors.

The Information Commissioner's Office explains in its controllers and processors guidance that a processor must not appoint another processor without the authorisation of the controller.

A puppy named Data

One way to think about this is to imagine asking someone to look after your puppy.

You know the person you are giving your puppy to. You trust them. You have seen how they care for their own dog and you feel comfortable leaving your puppy with them for a few days. They are the person responsible for looking after your puppy.

Now imagine they tell you that they live with their sixteen-year-old son. The son sometimes leaves the door open when he goes outside. He occasionally leaves food lying around and does not always tidy up after himself.

You might start to think differently about whether you are comfortable leaving your puppy there. You trusted the person you were dealing with, but now you realise that other people in the household may also affect your puppy's safety.

That situation is similar to how sub-processors work. You would probably want a say in who else is looking after the puppy and an assurance that the original sitter stays responsible. In effect, that is what the sub-processor authorisation rules are designed to achieve.

How this relates to personal data

When an organisation appoints a processor, they are trusting that organisation to handle personal data safely.

However, the processor may rely on other service providers to deliver the service.

Those providers may not be visible to the controller, but they may still be involved in the processing of personal data.

This is why controllers should understand not only who their processor is, but also which sub-processors are involved.

Legal requirements

UK GDPR requires that processors obtain authorisation before appointing another processor.

This is usually set out in the contract between the controller and processor.

Depending on how the contract is written, this often means that processors must, for example:

  • inform controllers about the sub-processors they use
  • obtain approval before adding new sub-processors
  • ensure sub-processors follow the same data protection obligations

The ICO provides guidance on these requirements in its material on controllers and processors.

What controllers should ask

For controllers, understanding sub-processors is not just a legal formality. It is part of good supplier assurance.

Useful questions include:

  • Which sub-processors are involved in delivering the service?
  • What part of the service does each one provide?
  • Will they store or access personal data?
  • In which countries will processing take place?
  • How will we be notified if a new sub-processor is added?

These questions help build a clearer picture of the actual processing environment rather than just the organisation named on the contract.

Why this matters

Understanding sub-processors is important because they can affect the overall security and governance of personal data. Even if the processor you contract with has strong controls in place, the organisations they rely on also play a role in protecting the data.

For controllers, this means understanding the broader processing environment and asking the right questions about how services are delivered.

For processors, it means being transparent about the providers they rely on and ensuring those providers meet appropriate standards. Effective data protection requires looking beyond the immediate supplier and understanding the wider ecosystem involved in processing personal data. It is also worth remembering that a processor remains accountable to the controller if something goes wrong with a downstream sub-processor.

Just as you would want to know who else is around when someone is looking after your puppy, organisations should understand who else may be involved when personal data is being processed.