The legal baseline in Europe is clear. European data protection law requires a processor to obtain written authorization from the controller before engaging another processor - either specific approval or a standing general authorization with notice rights. Where general authorization applies, the processor must inform the controller of intended additions or replacements so the controller can object.
This requirement has practical force because the same rule requires those obligations to flow down by contract. If the downstream chain is not mapped, a vendor can struggle to show that the legal terms, security controls, and disclosure duties extend beyond the first contractual layer.
Why It Matters
- GDPR Article 28 requires written authorization before a processor engages another processor and requires notice of intended changes under general authorization.
- Article 28 also requires the same data protection obligations to be imposed on sub-processors by contract.
- ISO 27001:2022 Annex A includes supplier relationship, supplier agreement, ICT supply-chain, and supplier service review controls.
- SOC 2 reports must be read for scope because they may cover selected trust categories and defined controls rather than every vendor dependency.
- Incomplete sub-processor disclosure can complicate procurement reviews, contract renewals, and customer negotiations.
The Authorization Requirement
The requirement is often discussed as a contract provision, but it also operates as a control on operational change. A processor that adds a new support platform or analytics provider may need more than an internal procurement step if that service acts as a sub-processor.
The rule requires prior written authorization from the controller before another processor is engaged. When the authorization is general rather than specific, the processor must still notify the controller of intended changes and allow time for objection.
The same rule also requires the processor to impose the same data protection obligations on the downstream processor by contract. If that other processor fails to meet its obligations, the initial processor remains fully liable to the controller for the performance of the other processor’s obligations.
Secondary legal commentary reaches the same general conclusion. White & Case notes that a sub-processor must be appointed on the same terms set out between the controller and the processor. Practical guidance from GDPR Local and ComplyDog describes objection rights, notice periods, and the need to manage sub-subprocessor relationships.
More Business Articles
Why ISO 27001 Supplier Controls Matter
The same issue appears in information security management, even though the terminology is different. The ISO 27001 information security standard places supplier oversight inside a connected set of controls.
These cover supplier relationships, security in supplier agreements, ICT supply chains, and the monitoring, review, and change management of supplier services.
Standard mappings of the 2022 revision identify separate controls for supplier relationships and supplier agreements specifically. Third-party commentary describes the supplier agreement control as requiring relevant information security requirements to be established and agreed with each supplier.
Those controls do not create a simple rule that every supplier’s supplier must always be named in a certificate scope. They do, however, reinforce the need for supplier due diligence, contractual clarity, and change oversight where third parties affect information and services.
That is why downstream tools can become material in an audit or customer review even if they entered the environment through an integration. If a vendor cannot explain what the tool does and what conditions govern it, the gap is no longer only technical.
SOC 2 Scope Is Useful but Limited
SOC 2 reports are frequently used as evidence in procurement, but their value depends on what they actually cover. The IAPP notes that a SOC report is an attestation paired with an independent auditor’s comparison of the attestation to the company’s practices.
That warning is important because a SOC 2 report does not automatically answer every question a customer may ask about downstream processing. The IAPP explains that a processor can choose which trust categories are reviewed.
Controllers should ensure the report’s scope includes their requirements rather than assuming that the existence of a SOC 2 report settles the issue.
This does not mean a hidden downstream tool automatically invalidates a SOC 2 report. It does mean a report may be silent on a dependency that falls outside the defined system description, leaving customers to ask separate questions.
The same caution applies to ISO 27001 certificates. A certificate can indicate that an information security management system has been audited, but it does not relieve a customer from examining supplier arrangements and the practical scope of controls.
How Contract Reviews Shift Leverage
Customer contracts often translate these legal and audit questions into operational pressure. Practical GDPR guidance commonly describes clauses that require a current sub-processor list, advance notice of changes, and a defined period for customer objection.
GDPR Local notes that notice windows often range from 30 to 60 days depending on contract terms and processing activities.
Once those clauses are in place, a vendor’s undisclosed dependency can become a commercial problem even before any regulator is involved. A buyer conducting renewal diligence may ask whether a support platform or observability tool processes personal data and whether that provider appears on the vendor’s list.
If the answer is incomplete, the discussion can widen quickly. Procurement teams may request updated data processing terms, security questionnaires, evidence of supplier review, or revised product scoping.
That is the point at which leverage can shift toward the customer. The issue is not that every hidden dependency voids a certification as a matter of law. Undisclosed downstream processing can undermine the credibility of a vendor’s compliance package and give a large buyer reason to delay or renegotiate.
What Vendors Need to Control
The first requirement is a current inventory of downstream processors and other material suppliers. For each entry, the vendor needs a clear legal name, service description, data categories involved, location, and the contract path that governs the relationship.
The second requirement is contract discipline across layers. The same rule requires the same data protection obligations to be imposed on sub-processors by contract. Practical guidance also emphasizes the need to address sub-subprocessors rather than stopping at the first vendor tier.
The third requirement is scope review before a renewal, audit, or large enterprise sale. Because SOC 2 and ISO 27001 evidence must be read in light of scope, a vendor should check whether new tooling has altered what customers will expect the assurance package to cover.
The fourth requirement is change management that connects legal, security, and product teams. A new vendor can trigger notice duties under data protection law and supplier review duties under the information security standard at the same time, so these changes cannot be treated as a narrow procurement step.
A Governance Issue, Not a Documentation Exercise
The central problem is not only whether a vendor can publish a longer list of names. It is whether the company can show that downstream processing has been identified, reviewed, contracted appropriately, and reflected accurately in the evidence it presents to customers.
That is why hidden sub-processors create outsized risk during enterprise sales and renewals. They expose gaps between legal commitments, security assurances, and operational reality.
These gaps are often easier for customers to detect when a procurement review reaches into the supplier chain.
For vendors selling into larger organizations, sub-processor governance has become part of product operations and contract management. The companies that keep their downstream stack current and review assurance scope before customers ask are less likely to face avoidable disputes when commercial leverage matters most.
Sources
- Intersoft Consulting. "Art. 28 GDPR – Processor." General Data Protection Regulation (GDPR), 2016.
- White & Case LLP. "Chapter 11: Obligations of processors – Unlocking the EU General Data Protection Regulation." White & Case LLP, 2016.
- High Table. "How to Implement ISO 27001 Annex A 5.20 and Pass the Audit." High Table, N/A.
- Vanta. "ISO 27001 third-party risk management requirements." Vanta, N/A.
- IAPP. "Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance." International Association of Privacy Professionals, N/A.
- GDPR Local. "What is a sub-processor under GDPR?." GDPR Local, N/A.
- ComplyDog. "Subprocessors under GDPR: Legal obligations and requirements." ComplyDog, N/A.
Article Credits
