In order to use a sub-processor, the processor needs to have the controllers written permission. The terms regarding the usage of a sub-processor can be regulated between the controller and processor in their data processing agreement. If the controller has approved the usage of a sub-processor, the processor needs to establish a contract between him and the sub-processor that meet the requirements of a DPA in article 28(3) GDPR.
It is also vital to notice that the processor who hire a sub-processor always will be liable to the controller regarding the sub-controllers compliance.
Expert Legal Advice that strengthens your digital strategy
Connect with our experts in technology and data protection law. SaaS. License agreement. Cloud services. Business-minded.
Get a quote today from the business law firm Sharp Cookie Advisors