GDPR Sub-Processor Agreement
Article 28 (1) of the GDPR provides that, where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
Articles 28 (2) of the GDPR provides that, the Processor must not engage another processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor must inform the Controller of any intended changes concerning the addition or replacement of other Processors, thereby giving the Controller the opportunity to object to such changes.
The purpose of this template document is to provide an example of the typical matters to address in a Processor to Sub-Processor Agreement. This will largely reflect the terms agreed between the Data Controller and the Processor.