A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller.

      In order to use a sub-processor, the processor needs to have the controllers written permission. The terms regarding the usage of a sub-processor can be regulated between the controller and processor in their data processing agreement. If the controller has approved the usage of a sub-processor, the processor needs to establish a contract between him and the sub-processor that meet the requirements of a DPA in article 28(3) GDPR.

      It is also vital to notice that the processor who hire a sub-processor always will be liable to the controller regarding the sub-controllers compliance.