Vendor risk management

Learn how to manage the risks of subcontracting with the GDPR.

The requirements of the GDPR are extended to vendors (subcontractors or processors).


The subcontracting contract must specify the object, the duration, the nature and the purpose of the processing, the type of personal data, the categories of data subjects, the rights and obligations of the controller and the obligations of subcontracting in terms of personal data protection.


The processor must allow audits to be carried out by the controller so that the latter ensures that he respects the contractual clauses relating to the protection of personal data and that he does not process the personal data transferred only to purposes provided for in the subcontract and on a documented instruction from the controller.

Supervision of the subcontracting chain

The processor does not recruit any other processor (level 2 processor) without the prior, specific or general written authorization of the person in charge of the processing. Any contract with a level 2 processor must provide the same data protection obligations provided for in the contract concluded with the controller.

Register of subcontractors

Each processor must keep a record of all the processing carried out on behalf of each controller. This register must be linked to the data controller register and must also be made available to the supervisory authority on request.

Liability of the subcontractor

The subcontractor is not liable for material or moral damage caused by the processing of personal data only if he has not complied with the obligations laid down by the GDPR which fall specifically upon him or if he has acted outside the instructions of the controller. The processor is subject to the same administrative fines and penalties as the controller.

For more information

pageAttach a risk to a processing activity

Last updated