+44 (0) 121 582 0192 [email protected]


In today’s data-driven world, maintaining compliance with global data protection laws is paramount. One crucial aspect of this compliance is the establishment of Data Processing Addendum (DPA) contracts between data processors and sub-processors. These contracts are not just a legal formality; they are essential to ensure that data protection obligations are upheld throughout the data processing chain. Without them, a data processor’s contract with its data controller could be invalidated, leading to significant legal and financial repercussions.


What is Sub-Processing?

Sub-processing occurs when a data processor engages another party, known as a sub-processor, to perform specific processing activities on behalf of a data controller. For example, a cloud service provider (data processor) might use a third-party data centre (sub-processor) to store the data they manage for their clients (data controllers). Another instance could be a payroll service provider (data processor) outsourcing certain administrative functions to a specialised HR software provider (sub-processor).


Why Sub-Processor Due Diligence is Essential

Conducting due diligence on sub-processors is not just a best practice; it is a legal necessity. Data processors are required to ensure that their sub-processors adhere to the same data protection obligations that they are subject to under their contract with the data controller. This process involves:

  • Evaluating the sub-processor’s data protection policies and practices: Ensuring they comply with relevant data protection laws and standards.
  • Assessing the sub-processor’s security measures: Verifying that they have robust mechanisms to protect the data from breaches or unauthorised access.
  • Reviewing the sub-processor’s history: Checking for any past incidents of data breaches or non-compliance with data protection regulations.

Failure to conduct thorough due diligence can invalidate the data processor’s contract with the data controller. If a sub-processor fails to meet data protection standards, the data processor could be held liable for any breaches or non-compliance issues, resulting in potential legal actions and penalties. Moreover, the data controller might terminate the contract with the processor, leading to financial losses and reputational damage.


Ensuring Liability Clauses are in Place to Protect the Data Processor

To mitigate the risks associated with sub-processing, it is crucial to include comprehensive liability clauses in DPA contracts. These clauses should clearly outline:

  • The responsibilities of each party: Defining the scope of data processing activities and the specific obligations of the sub-processor.
  • Indemnification provisions: Ensuring that the sub-processor agrees to indemnify the data processor for any losses, damages, or penalties resulting from their non-compliance or data breaches.
  • Audit rights: Allowing the data processor to conduct regular audits of the sub-processor’s data protection practices to ensure ongoing compliance.
  • Termination clauses: Providing the data processor with the right to terminate the contract if the sub-processor fails to meet data protection standards.

Having these clauses in place helps safeguard the data processor from potential liabilities and ensures a clear framework for accountability and remediation in case of non-compliance.


How External Expert Guidance on Processor Contracts Can Alleviate Risks

Given the complexity of data protection laws and the critical nature of DPA contracts, seeking external expert guidance can significantly alleviate the risks for data processors. Engaging with global privacy consultants, such as Formiti Data International, can provide valuable insights and assistance in several ways:

  • Expert review and drafting of DPA contracts: Ensuring that all necessary legal provisions and protections are included.
  • Comprehensive due diligence processes: Developing and implementing robust procedures for assessing and monitoring sub-processors.
  • Ongoing compliance support: Providing continuous advice and updates on evolving data protection regulations to ensure ongoing compliance.

Formiti Data International offers global privacy services that help organisations navigate the complexities of data protection laws. Our expertise ensures that data processors can establish and maintain compliant relationships with their sub-processors, thereby protecting their contracts with data controllers and mitigating the risks of non-compliance.


DPA contracts between data processors and sub-processors are not just a legal obligation but a crucial component of a robust data protection strategy. Ensuring that due diligence is conducted, liability clauses are in place, and external expert guidance is sought can significantly mitigate the risks and protect the interests of data processors in the complex landscape of global data protection.