Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

15) Does your organisation have procedures in place to inform and obtain authorisation (if required) from the data controller before engaging a sub-processor?

August 30, 2022

Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.

If you process personal data on behalf of another party, you must obtain their prior authorisation before engaging a new sub-processor, unless it explicitly states otherwise in your contract.

The ICO have published comprehensive guidance about your obligations as a data processor and what should be included in contracts between controllers and processors which can be found here.

How to implement the control

When entering into a new data processing contract, and for all existing contracts, you should agree methods of communication with the data controller and methods for obtaining appropriate authorisation. You should ensure you have a way of identifying the data controller of all data you process so that you can determine where and when authorisation may be required.

You may wish to include checks for data ownership in project governance and change management processes to ensure you can always identify where changes (including new sub-processors) will impact on personal data and appropriate authorisation can be sought, if required.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.