Privacy Glossary

Sub-Processor

A third party engaged by a Data Processor to carry out processing activities on behalf of the Data Controller.

GDPRLGPD

Full Definition

A Sub-Processor is any third party that a Data Processor engages to process personal data on behalf of the Data Controller. Under GDPR, processors must obtain the controller's prior written authorisation before engaging sub-processors — either specific authorisation or general authorisation (with the right to object to new sub-processors). Processors remain fully liable to the controller for the sub-processor's compliance. Sub-processor chains must be documented, and the obligations imposed on sub-processors must be at least equivalent to those imposed on the processor under the Data Processing Agreement. Organisations commonly use a public sub-processor list to provide transparency.

Back to all terms

Related terms

Data Processor

An entity that processes personal data on behalf of and under the instructions of a Data Controller.

Data Controller

An entity that determines the purposes and means of processing personal data.

Standard Contractual Clauses

Pre-approved contract clauses issued by the European Commission for lawfully transferring personal data outside the EEA.

Relevant regulations

GDPR

LGPD

Browse more terms

Explore all 25 privacy and compliance terms in our glossary.

View full glossary

Automate your privacy program

TruePrivacy handles DSRs, consent management, data mapping, and breach response — all in one platform.

Start Free Trial Book a Demo