Skip to content
Vectel
Support/Compliance and regulations

My vendor uses sub-processors, how do I handle that properly?

Under GDPR you, the controller, are accountable for the full chain. The DPA must cover sub-processors, including notice and the right to object.

Try this first

  1. 1Ask the vendor for the current sub-processor list with country of establishment and what each one does. Keep it with the contract.
  2. 2Agree that the vendor notifies you in advance of any change, with a reasonable window to object.
  3. 3Verify that the prime vendor flows the same obligations down to each sub-processor by contract. Ask for a sample DPA if needed.
  4. 4Watch transfers: if a sub-processor sits outside the EEA, the legal basis (SCCs or EU-US DPF, for example) has to hold for that hop too.
  5. 5Add the chain to your processing register so you can trace where data sat in case of a breach.

When to bring us in

If you cannot get a sub-processor list or the vendor refuses notice obligations, that is a red flag. Get a privacy lawyer to review the contract.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works