GDPR Sub-Processor: The Missing Clause in Your Contract
70% of French SMEs haven't signed a DPA with their providers. Host, CRM, email tool, web agency: anyone who touches your client data must sign an Art. 28 GDPR-compliant sub-processing agreement. Without it, you bear the risk alone.
Who is a sub-processor?
A sub-processor under GDPR (Art. 4.8) is any natural or legal person who processes personal data on behalf of the data controller, on its instructions. The relationship is asymmetric: you decide the purpose and means, the sub-processor executes.
Concrete examples of sub-processors for an SME:
The 7 Mandatory Clauses of an Art. 28 DPA
Precise description of processing (e.g., SaaS application hosting, sending marketing emails), categories of data involved, contract duration and end-of-contract procedure.
What the sub-processor is authorized to do with the data. It cannot use the data for its own purposes (e.g., training AI models) without explicit consent.
The sub-processor's employees accessing data must be bound by a confidentiality obligation. Non-disclosure clause to third parties.
List of authorized further sub-processors (e.g., AWS for Mailchimp hosting). Obligation to inform the controller of any new sub-processor. Right to object possible.
Art. 32 GDPR: encryption, access control, backups, security testing. The DPA must describe measures or refer to an attached security policy.
Sub-processor obligation to alert the controller without undue delay (ideally within 24h) in case of breach, to enable CNIL notification within 72h.
At contract end: complete data return in a structured format AND permanent deletion (including backups). Recommended maximum time: 30 days. Deletion certificate to keep.
Are your SaaS tools depositing cookies before your consent?
A sub-processor that deposits cookies before consent engages your GDPR liability. Detect it in 60s.
Sanctions for Missing DPA
CNIL deliberation SAN-2022-009: medical SaaS sub-processor that exposed 491,000 patient records. Absence of adequate contractual clause with controller clients. Double condemnation: insufficient security + absent contractual framework.
CNIL deliberation SAN-2024-003: absence of DPA with several sub-processors accessing data of 500,000 clients, including non-framed transfers outside the EU.
Going Further
- Transfers outside EU: are you in violation?
- Processing register: Art. 30 guide
- Complete GDPR checklist 2026
- GDPR for SaaS publishers