Contracts 8 min read·

GDPR Sub-Processor: The Missing Clause in Your Contract

70% of French SMEs haven't signed a DPA with their providers. Host, CRM, email tool, web agency: anyone who touches your client data must sign an Art. 28 GDPR-compliant sub-processing agreement. Without it, you bear the risk alone.

Who is a sub-processor?

A sub-processor under GDPR (Art. 4.8) is any natural or legal person who processes personal data on behalf of the data controller, on its instructions. The relationship is asymmetric: you decide the purpose and means, the sub-processor executes.

Concrete examples of sub-processors for an SME:

Hosting & Cloud
OVH, AWS, Scaleway, Cloudflare
Email marketing
Mailchimp, Brevo, Klaviyo, Mailjet
CRM
HubSpot, Salesforce, Pipedrive
Customer support
Zendesk, Intercom, Freshdesk, Crisp
Payment
Stripe, PayPal, Mollie
Analytics
Google Analytics, Plausible, Matomo
HR & Payroll
PayFit, Lucca, Silae, ADP
Web agency
Access to database or CMS

The 7 Mandatory Clauses of an Art. 28 DPA

1
Subject matter and duration

Precise description of processing (e.g., SaaS application hosting, sending marketing emails), categories of data involved, contract duration and end-of-contract procedure.

2
Nature and purpose of processing

What the sub-processor is authorized to do with the data. It cannot use the data for its own purposes (e.g., training AI models) without explicit consent.

3
Confidentiality obligation

The sub-processor's employees accessing data must be bound by a confidentiality obligation. Non-disclosure clause to third parties.

4
Further sub-processors

List of authorized further sub-processors (e.g., AWS for Mailchimp hosting). Obligation to inform the controller of any new sub-processor. Right to object possible.

5
Technical and organizational security measures

Art. 32 GDPR: encryption, access control, backups, security testing. The DPA must describe measures or refer to an attached security policy.

6
Data breach notification

Sub-processor obligation to alert the controller without undue delay (ideally within 24h) in case of breach, to enable CNIL notification within 72h.

7
Deletion or return at contract end

At contract end: complete data return in a structured format AND permanent deletion (including backups). Recommended maximum time: 30 days. Deletion certificate to keep.

Are your SaaS tools depositing cookies before your consent?

A sub-processor that deposits cookies before consent engages your GDPR liability. Detect it in 60s.

Sanctions for Missing DPA

DEDALUS BIOLOGIE — €1.5M (2022)

CNIL deliberation SAN-2022-009: medical SaaS sub-processor that exposed 491,000 patient records. Absence of adequate contractual clause with controller clients. Double condemnation: insufficient security + absent contractual framework.

Logistics company — €800,000 (2024)

CNIL deliberation SAN-2024-003: absence of DPA with several sub-processors accessing data of 500,000 clients, including non-framed transfers outside the EU.

Going Further

Frequently Asked Questions

Does my host need to sign a DPA?
Yes, absolutely. Your host (OVH, AWS, Scaleway, Cloudflare) potentially accesses your users' data. OVH and Scaleway offer compliant DPAs in their T&Cs. AWS and Cloudflare have DPAs available online to accept in your account.
Can I use the DPA provided by my provider or must I write my own?
You can use the provider's DPA provided it covers all Art. 28 obligations. Check: list of sub-processors, audit right, breach procedure, commitment to deletion at contract end. If a clause is missing, negotiate an amendment.
Is my web agency that develops my site a sub-processor?
Yes, if it accesses personal data of your users (database, logs, client files). DPA required. Exception: if it only works on the static front-end without data access.
How long must I keep signed DPAs?
At least 5 years after contract end. In case of CNIL inspection or dispute, it's your proof of diligence. Keep the signed version with the signature date and annexes (list of sub-processors, security measures).
My SaaS tool doesn't want to sign a custom DPA. What to do?
Most major SaaS offer a standard Art. 28-compliant DPA (accessible in account settings or via the legal page). If the provider categorically refuses any DPA, that's a strong signal: consider an alternative. Document the refusal in your processing register.
Do I need a DPA with a lawyer, accountant, HR provider?
Yes if these providers process personal data of your clients or employees (HR files, client accounting data). An accountant accessing your accounting software = sub-processor. DPA clause in the engagement letter or separate contract.

Are your sub-processors compliant?

RGPDScan identifies all third-party scripts loaded on your site and evaluates their GDPR compliance. Free scan in 60s.