How to Manage a Chain of Processors Under GDPR: Expert Guide for Controllers
- 22.12.2025
- Business, Data Privacy, Top articles
Processing involving not only a controller but also a processor, and sometimes several processors, including sub-processors, surprises no one. After all, it’s so convenient to outsource part of your business functions — such as marketing campaigns, recruitment, or bookkeeping — to other companies that specialize in precisely these operations. You sign a Data Processing Agreement (DPA), include information about the processor in your personal data processing policy, and launch the processing. It would seem, where could the pitfalls be?
In this new article, we discuss what controllers often overlook when working with processors.
Table of Contents
“Big Brother The Controller Is Watching You!”
When a controller initiates the processing of personal data, it determines the two main elements: “why?” (the purpose of processing) and “how?” (the means of processing). At the same time, the very decision to engage a processor, as well as the choice of a specific processor, is considered the determination of a means of processing (that very “how?”). Consequently, it is the controller who has the decisive say — “yes” or “no” — on engaging any additional processor at any level (sub-processor, sub-sub-processor, and so on).
How does it exercise this power? According to Article 28(2) GDPR, a processor (with whom the controller already has a contractual relationship) must not engage another processor without prior specific or general written authorization from the controller.
Article: Controller and Processor
The EDPB clarifies that a processor within the meaning of Article 4(8) GDPR is not only a first-level processor engaged directly by the controller, but also a processor of a processor, and so on, throughout the entire data processing chain. That is, the controller’s obligations related to vetting a processor when it joins the data processing chain apply to absolutely all processors regardless of their level. (Opinion 22/2024 on certain obligations following the engagement of processor(s) and sub-processor(s), adopted by the EDPB on 7 October 2024, paras. 17 and 39.)
Example:
Company A, a Spanish online hypermarket, approaches a local marketing agency B to increase sales through marketing campaigns. It is expected that Company B will receive data about the hypermarket’s current customers and their purchases over the past two years, analyze this data, segment the customers, and send all customers advertising messages by email. These will differ depending on which segment the customer was assigned to. Among the data transferred to Company B: the customer’s email address and all orders placed using that email address over the past two years. Company A is the controller of personal data. Marketing agency B is the processor of personal data. In accordance with the Data Processing Agreement concluded between Companies A and B, Company B is obliged to request prior specific authorization from the controller to engage any processor, except those already included in the Data Processing Agreement. At the time of concluding the Data Processing Agreement, it lists two processors to whom agency B has the right to transfer personal data: email campaign platform C and its hosting provider D. Both email campaign platform C and its hosting provider D are located outside the EEA, in Israel. Israel is a jurisdiction with an adequate level of personal data protection in accordance with the European Commission’s decision.
The controller’s authorization (general written or prior specific) is a tool that allows the controller to choose the method of processing personal data: which specific processor will be engaged, whether personal data will be transferred outside the European Economic Area (EEA), which specific protective measures will be used, and so on. Depending on the agreements between the parties, the controller adds another participant to the data processing either by its direct “yes” (prior specific authorization) or by the absence of a direct “no” (general written authorization). It is important to note: under both options, the processor has an obligation to notify the controller in advance of its intention to engage another participant in data processing, and the controller has the right to prohibit the processor from engaging that participant in the processing (and the processor is obliged to comply with that decision). In practice, this means that:
🔹 no matter what level processor intends to engage a sub-processor, approval must be obtained from the controller — that is, information must be passed along the chain to the “locomotive” of the processing. According to Article 28(4) GDPR, the original processor is obliged not only to follow the consent request procedure itself, but also to pass it along the chain of contracts to the very last link. Thus, even the contract with the processor at the last level (for example, the 5th level) must contain such an obligation;
€80,000 for Document Delivery
A client of ING Bank in Spain sent the bank a set of paper documents (application form, copy of DNI, signatures, etc.) to register himself as a joint account holder with his partner. The shipment went through a courier chain: ING Bank (controller) concluded a DPA with courier DYNAMIC (processor), DYNAMIC engaged SENDING as a sub-processor, and SENDING, in turn, enlisted another courier company — AUTORADIO. It was an AUTORADIO employee who collected the envelope from the client, but the documents were lost (ING Bank never received the package). The bank’s client filed a complaint with the supervisory authority. It was established that SENDING acted as a sub-processor of ING Bank and should have complied with the requirements of Article 28 GDPR. The contract between ING Bank and DYNAMIC (first-level processor) required strict (specific) approval of all sub-processors. This obligation was passed by DYNAMIC further down the chain, meaning that SENDING, wishing to engage AUTORADIO in data processing, should have requested consent from ING Bank. However, SENDING, violating both the contract with DYNAMIC and the provisions of Article 28(2) GDPR, did not request authorization to engage the sub-processor. Moreover, the contract between SENDING and AUTORADIO did not meet the requirements of Article 28(4) GDPR: the controller ING Bank was not identified in it, the roles were described incorrectly, and the processing conditions and security measures did not meet the standard of obligations under the contract between ING Bank and DYNAMIC.
A poor-quality DPA cost SENDING €80,000.
🔹 the controller always reviews a specific candidate (sub-)processor. That is, the processor is obligated to compile a dossier on each potential participant in the processing and await the controller’s decision. Requesting approval for a category of processors (for example, “courier organizations” or “email distribution operators”) is not permitted;
🔹 the controller’s obligation is to review the candidate proposed by the processor and make a decision. This follows from the controller’s obligation “…to use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject“. Even if, in the controller’s opinion, the processing presents minimal risk to the rights and freedoms of the subject, this cannot in any way be grounds for non-fulfillment of such an obligation (although it does affect the degree of vetting of the candidate);
🔹 the agreement between the controller and processor (as well as between processors of subsequent levels) cannot include a provision that the controller gives the processor general consent to engage any (sub-)processors of subsequent levels at the processor’s discretion (without the need to present candidates for the controller’s review). Even if such a provision is included in the agreement, it will be invalid from the very beginning: the agreement cannot override the legal provision of Article 28(2) GDPR.
This means that identifying information (name/title, address, contact person, and description of data processing activities) about all processors at all levels must always be available to the controller, since it is the latter who bears responsibility for the actions of each processor in the chain.
Want to learn how to properly formalize relationships between controller and processor?
Take our foundational course GDPR Data Privacy Professional. Participants study the key aspects of GDPR and learn to apply them in practice.
I’m a controller. Why do I need to know every sub-processor in the chain?
GDPR imposes a number of obligations on the controller that are impossible to fulfill without information about each participant in the data processing chain:
1. according to Articles 13(1)(e) and 14(1)(e) GDPR, the controller is obligated to include in the privacy policy information about recipients (or categories of recipients) of data. At the same time, they must strive to provide the most specific information possible. In accordance with paragraph 37 of the Guidelines on the principle of transparency, as a general rule, the most specific information means listing recipients by name. (Guidelines of the Article 29 Working Party on transparency as enshrined in Regulation 2016/679, adopted on November 29, 2017, supplemented and adopted in a new version on April 11, 2018.) If the controller chooses to indicate not the name of the recipient but their category, it is essential to specify the field of activity and location of such recipient;
2. as provided by Articles 13(1)(f) and 14(1)(f) GDPR, the controller indicates in the privacy policy also information about cross-border data transfers, including information about the destination country and applicable safeguards. To know exactly which countries the personal data will be sent to, it is important for the controller to have access to information about all data recipients (regardless of how far they are from the controller in the processing chain);
3. in accordance with Article 15 GDPR (right of access to personal data), the data subject has the right to receive from the controller information about recipients or categories of recipients of personal data. The EU Court clarified that this provision obliges the controller to provide information about specific recipients (that is, the subject must receive a list of persons to whom specifically their personal data was transferred) (Judgment of the European Court of January 12, 2023, in the case RW v Österreichische Post AG, C‑154/21, paragraph 51.);
4. Article 19 GDPR provides that the controller is obligated to notify all recipients to whom the relevant data were transferred about a request for erasure or rectification of personal data.
⚠️ Important:
all these obligations apply not only to the initial processor with whom the controller directly establishes a relationship, but also to all other processors (and data recipients) in the data processing chain (sub-processors, sub-sub-processors, etc.). So even if cross-border transfer occurs between a processor and a sub-processor (or even between processors at levels 4 and 5), it is the controller’s task to track this transfer and include it in their own privacy policy.
What I need to do to reach GDPR compliance?
This is a perfectly reasonable question and there is an answer to it. Here is an action plan for the controller:
1. If you intend to engage a processor for processing, gather information:
- assess the risks of the specific data processing. For example, risks are higher if you process special categories of data, such as health data or trade union membership. However, if these specific categories of data will not be transferred to the processor, the risk will not be as high. Consider what specific protective measures will help minimize risks;
- select potential processor candidates. At this stage, the controller reviews publicly available information, such as privacy policies, information about certifications or codes of conduct that the processor follows. It will also be helpful to check the potential processor’s history in terms of data breaches or liability for violations of personal data legislation;
- contact the best candidates and clarify what organizational and technical data protection measures they implement. Having received the information, assess how well these organizational and technical measures help minimize the risks of the relevant personal data processing;
350,000 euros for attempting to shift responsibility
Polish company A (controller) entrusted company X (processor / IT contractor) with website migration and maintenance. During the launch of the new website (transition to the new service), X’s employees copied files with backup copies of the old site’s databases to a new folder, which was supposed to be hidden but turned out to be publicly accessible. As a result, the server configuration allowed search robots to index this directory, and the personal data of approximately 21,000 people (full names, addresses, email, phones, dates of birth, PESEL, etc.) became available for viewing and downloading through a search engine. After the incident was identified, the controller notified the supervisory authority. The authority, in turn, conducted an investigation and held both the controller and the processor liable for failing to implement appropriate technical and organizational security measures and for violating the accountability principle. Specifically, before concluding the agreement with the processor, the controller did not conduct proper risk analysis and impact assessment. The DPA was general in nature, did not stipulate specific requirements for security, monitoring, and audit (data security was essentially delegated to the processor). In turn, the security measures implemented by the processor were disproportionate to the risks: the processor did not conduct configuration checks, environment testing, or implement adequate access control and encryption.
- find out whether potential processors use the services of sub-processors. If yes, it’s worth clarifying whether such sub-processors are located within the EEA or outside it. For sub-processors located outside the EEA, it is also important to verify the status of the destination jurisdiction (existence of an adequacy decision by the European Commission) and applicable safeguards in accordance with Chapter V GDPR;
2. select the best candidate among potential processors and conclude a DPA with them in accordance with Article 28 GDPR:
- determine the type of authorization for engaging new processors (general written or prior specific). If you have chosen general written authorization, specify in the contract exactly how the processor should present candidates for your review. Sometimes the processor publishes information about a potential sub-processor on a separate page of the website, to which all controllers have access; sometimes data about a potential sub-processor is sent through notifications in the controller’s electronic cabinet on the processor’s platform or by email. Also specify how much time you will have to make a decision. It is also useful to include sub-processor selection criteria in the contract, for example, only companies with ISO 27701 certification or companies located in the EEA: they will serve as a guideline for the processor, and therefore, when the criteria are met, the chances of approval by the controller will be higher;
Example: Marketing agency B conducted segmentation of online store A’s customers for subsequent email campaigns. However, during the provision of services to online store A, additional customer analysis was required. Unfortunately, the specialists of marketing agency B did not have much experience in conducting such analysis. However, their colleagues from marketing agency E had long been engaged in such analysis and could conduct it.
Since the Data Processing Agreement required company B to obtain prior specific authorization to engage other processors, the agency contacted the controller, presenting information about the personal data processing and protection practices at company E. Marketing agency B obtained this information by sending agency E a questionnaire in advance to clarify what specific measures this company takes to protect personal data. Online store A reviewed the information about the personal data processing practices at company E, considered the applicable protection measures sufficient and reasonable, and granted marketing agency B permission to engage the subcontractor.
In connection with engaging the subcontractor, the controller needs to make changes to the personal data processing policy.
Since marketing agency E is located in Spain, there is no need to supplement information about cross-border transfer of personal data.
If the original version of the personal data processing policy provided a list of specific data recipients, online store A needs to add marketing agency E to this list. However, if the policy initially contained only categories of personal data recipients, there is no need to supplement the policy, since company E, like company B, belongs to “marketing agencies engaged in analyzing purchasing preferences”.
- depending on the degree of risk to the rights and freedoms of data subjects, determine the depth of processor verification during contract performance. The controller’s obligation established in Art. 28(1) GDPR is not exhausted at the pre-contractual stage: throughout the entire period of cooperation, the controller is obliged to regularly check whether the processors participating in the processing are taking the necessary data protection measures. For example, if the processor’s DPO publishes an annual report on the state of personal data protection, the controller may insist that a copy of this report be provided to them as well. The verification method may also be sending an annual questionnaire to the processor;
- each time the processor wishes to engage a sub-processor in data processing, review the received “dossier.” The controller does not have the right to shift to the processor the obligation to engage only reliable contractors in data processing. Consequently, the controller has the final say. How reliable does the potential sub-processor appear? In what jurisdiction is it located? What data protection measures does it take? Are such measures sufficient to minimize the risks of your specific processing?
3. Promptly enter information about data recipients and cross-border data transfers into the personal data processing policy. Remember: as a controller, you are obliged to describe all cases of cross-border data transfer throughout the entire processing chain.
4. Maintain a catalog of data recipients for each specific processing. According to Art. 30(1)(d) GDPR, the processing register is allowed to indicate only categories of recipients. But in order to fulfill its obligations (as well as in accordance with the principle of accountability), the controller needs to keep information about data recipients at hand.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
