> For the complete documentation index, see [llms.txt](https://doc.dastra.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.dastra.eu/en/useful-reminders/risk-management/processor-risks.md). # Vendor risk management The requirements of the GDPR are extended to vendors (subcontractors or processors). ## Contract The subcontracting contract must specify the object, the duration, the nature and the purpose of the processing, the type of personal data, the categories of data subjects, the rights and obligations of the controller and the obligations of subcontracting in terms of personal data protection. ## Audit The processor must allow audits to be carried out by the controller so that the latter ensures that he respects the contractual clauses relating to the protection of personal data and that he does not process the personal data transferred only to purposes provided for in the subcontract and on a documented instruction from the controller. ## Supervision of the subcontracting chain The processor does not recruit any other processor (level 2 processor) without the prior, specific or general written authorization of the person in charge of the processing. Any contract with a level 2 processor must provide the same data protection obligations provided for in the contract concluded with the controller. ## Register of subcontractors Each processor must keep a record of all the processing carried out on behalf of each controller. This register must be linked to the data controller register and must also be made available to the supervisory authority on request. ## Liability of the subcontractor The subcontractor is not liable for material or moral damage caused by the processing of personal data only if he has not complied with the obligations laid down by the GDPR which fall specifically upon him or if he has acted outside the instructions of the controller. The processor is subject to the same administrative fines and penalties as the controller. ## For more information {% content-ref url="/pages/zGkLmYam7IP9xxLigjAY" %} [Attach a risk to a processing activity](/en/features/risk-management/attach-a-risk-to-a-processing-activity.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/risk-management/processor-risks.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.