What is a Sub-Processor?
A sub-processor is a third party engaged by a processor to perform some or all of the processing on behalf of the controller (GDPR Article 28). Cloud infrastructure providers (AWS, GCP), email senders (SendGrid, Mailgun), analytics platforms and payment gateways are typical sub-processors in a SaaS context. The controller retains ultimate responsibility, and the processor must impose flow-down obligations on each sub-processor matching the controller-processor DPA.
GDPR Article 28(2) and 28(4) — sub-processor engagement rules
- Prior authorisation: the processor cannot engage a sub-processor without prior general or specific written authorisation of the controller.
- Notification of changes: if general authorisation is given, the processor must inform the controller of any intended addition or replacement of sub-processors and provide objection rights.
- Same obligations: sub-processor agreement must impose the same data protection obligations on the sub-processor.
- Full liability: the initial processor remains fully liable to the controller for the sub-processor’s performance.
Sub-processor list and DPA mechanics
- Public sub-processor list: SaaS vendors maintain public lists (often updated quarterly).
- Email notification: 30-day advance notice for new sub-processors is industry norm.
- Objection right: controller can terminate if it objects on reasonable data protection grounds.
KVKK kapsamında alt veri işleyen
KVKK Madde 12, veri sorumlusunun veri işleyen üzerinde gözetim yükümlülüğünü düzenler; alt veri işleyen zinciri için yazılı anlaşma + flow-down şartı pratik uygulama olarak yerleşmiştir. Türk SaaS ihracatçıları için müşteri DPA’ları AWS/GCP gibi standart sub-processor’ları zaten kapsar, ancak yerel CDN veya KVKK uyum vendor’ları gibi Türkiye-özel sub-processor’lar açıkça listelenmelidir.
Do: maintain a public, dated sub-processor list; notify customers in advance of additions; require sub-processors to sign back-to-back DPAs.
Don’t: engage a new sub-processor without checking the customer DPA’s notification and objection windows.