The Supplier shall not subcontract any of its processing operations performed on behalf of the Customer under this Agreement without the prior written consent of the Customer. Where the Supplier subcontracts its obligations under this Agreement, with the consent of the Customer, it shall do so only by way of a written agreement with the subcontractor which imposes the same obligations on the subcontractor as are imposed on the Supplier under this Agreement. Where the subcontractor fails to fulfil its data protection obligations under such written agreement the Supplier shall remain fully liable to the Customer for the performance of the subcontractor's obligations under such agreement. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Customer the opportunity to object to such changes. Where the Supplier engages a subcontractor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this Agreement shall be imposed on that subcontractor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. The Supplier shall remain fully liable to the Customer for the performance of the subcontractor's obligations. The subcontractor shall have no enforceable rights against the Customer.
Here is a plain English explanation of the Subprocessing clause:
- The Supplier must get written consent from the Customer before allowing any subcontractor to process the Customer's data.
- If the Customer consents to subcontracting, the subcontractor must be bound by the same data protection rules as the Supplier.
- Even if the Supplier subcontracts, they remain fully responsible to the Customer for how the data is handled.
- If the subcontractor breaches data protection, the Supplier is still liable to the Customer.
- The Supplier must inform the Customer of any proposed changes to who is subcontracted, so the Customer can object if needed.
- Any subcontractor engaged must contractually agree to follow data protection law and implement security measures.
- The Supplier always remains fully liable to the Customer for any data processing done by any subcontractor they engage.
Subcontractors have no direct rights to enforce anything against the Customer.
The emergence of data subprocessing clauses reflects the evolution of privacy law and outsourcing practices. Early data processing contracts focused on controlling primary processors.
Subcontracting received little attention initially. However, risks arose as processing activities became more distributed.
By the 1970s, subprocessors were expressly addressed in some contracts to manage liability. Ambiguities remained under the previous patchwork of laws. Subcontracting clauses then grew more prominent in the 1980s-90s as processing shifted to third parties.
The EU Data Protection Directive 1995 subsequently codified obligations around subprocessors. This required contractually binding any party processing personal data to security and confidentiality duties. However, many organizations continued underestimating subcontractor risks.
Robust subprocessing clauses finally became the norm following the EU General Data Protection Regulation 2016. GDPR imposed direct obligations on controllers and processors for onward transfers. Leading data protection authorities emphasized subsurface due diligence and liability.
Today, data subprocessing clauses are standard practice to navigate the complex ecosystem of processing relationships.
They evolved from an afterthought to a core data protection necessity.