Who is liable if a sub-processor is used?

If you are a sub-processor, you will be liable for any damage caused by your processing only if you have not complied with the GDPR obligations imposed on processors or you have acted contrary to lawful instructions from the controller, relayed by the processor, regarding the processing.

If you are a processor and use a sub-processor to carry out processing on your behalf, you will be fully liable to the controller for the sub-processor’s compliance with its data protection obligations. This means that, under Article 82(5), if a sub-processor is at fault, the controller may claim back compensation from you for the sub-processor’s failings. You may then claim compensation back from the sub-processor.

A sub-processor may also be contractually liable to the processor for any failure to meet the terms of the agreed contract. This will of course depend on the exact terms of that contract.

Processors and sub-processors should seek their own legal advice on issues of liability and the contracts between controllers and processors and processors and sub-processors.