What is sub-processing and how to track it?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your ESP processes your subscriber data on your behalf. But your ESP also uses other companies: cloud providers for infrastructure, analytics tools, support platforms. When those companies touch your data, that's sub-processing.

Under GDPR, your ESP (as your processor) needs your permission before engaging sub-processors. They also need to ensure sub-processors meet the same data protection standards you've agreed to in your Data Processing Agreement (DPA).

Why it matters to you: If a sub-processor has a data breach, the chain of responsibility runs back to you as the controller. You're still accountable for the data you collected from your subscribers, even several steps removed from the incident.

How to track sub-processors: Most reputable ESPs publish a sub-processor list in their legal documentation or privacy policy. Mailchimp, Brevo, and SendGrid all maintain these. Check the list and note if any sub-processors are based outside the EU (which triggers additional data transfer requirements).

When your ESP updates their sub-processor list, they should notify you. Your DPA should include a clause requiring this. If it doesn't, that's worth flagging before you sign.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Understand your GDPR sub-processing obligations for your specific setup.

My ESP uses several sub-processors including cloud infrastructure companies. Can you help me understand what data transfer rules apply if any of those sub-processors are outside the EU? I'm based in country and send emails to audience geography.

Edit the yellow boxes, then send to the AI of your choice.