Under Article 28(3)(d) the contract must say that:
- the processor should not engage another processor (a sub-processor) without the controller’s prior specific or general written authorisation;
- if a sub-processor is employed under the controller’s general written authorisation, the processor should let the controller know of any intended changes and give the controller a chance to object to them;
- if the processor employs a sub-processor, it must put a contract in place imposing the same Article 28(3) data protection obligations on that sub-processor. This should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the GDPR’s requirements. The wording of these obligations do not need to exactly mirror those set out in the contract between the controller and the processor, but should offer an equivalent level of protection for the personal data; and
- the processor is liable to the controller for a sub-processor’s compliance with its data protection obligations.
