What is sub-processing and how to track it?

Sub-processing occurs when your data processor engages another organization to help process personal data on your behalf. Your ESP might use cloud infrastructure providers for hosting, deliverability vendors for sending optimization, analytics services for reporting, or security providers for fraud detection. Each of these third parties processing your subscriber data through the ESP is a sub-processor, creating a chain of processing relationships that extends beyond your direct vendor relationship.

Under GDPR, controllers must authorize sub-processing. This can be specific authorization (you approve each sub-processor individually) or general authorization (you approve categories of sub-processors, with the processor required to inform you of changes so you can object). Most ESP Data Processing Agreements use general authorization. They umaintain a list of sub-processors and commit to notifying you of additions or changes. Your DPA should specify the authorization model and your rights regarding sub-processor changes.

To track sub-processors effectively, review your ESP's sub-processor list (usually published on their website or available upon request), understand what each sub-processor does with your data, ensure sub-processors meet adequate security and compliance standards, and monitor for changes that might affect your compliance posture. Consider whether sub-processor locations create cross-border transfer issues. If a sub-processor is added in a jurisdiction that concerns you, exercise your objection rights before they begin processing your data. You chose your processor deliberately-make sure you're equally aware of who your processor chooses to help process your data.