Lexicon > Subcontractor

IT Glossary


The processor is the natural or legal person who processes personal data on behalf of the controller.

The processor must serve the interest of the controller by performing a specific task and following the instructions given by the controller, at least with regard to the purpose and the essential elements of the means.

The processor may, however, enjoy a certain degree of autonomy in carrying out the outsourced processing and thus define the non-essential elements of the processing operation.

However, when a subcontractor acts contrary to the instructions of the responsible for the processing, including making decisions about the purpose and the essential elements of the means of processing, it may then be reclassified as a controller and thus subject to the obligations of the latter enshrined in the GDPR.

The controller may only use a processor who provides sufficient guarantees that appropriate technical and organizational measures have been implemented so that the processing meets the requirements of the GDPR and ensures the protection of the data subject.

This includes considering the outsourcer’s expertise, reliability, and resources before outsourcing the processing.

In any case, the processing carried out by the processor must be governed by a legal act such as a contract that binds the processor to the controller defining in particular:

  • Purpose of treatment;
  • Duration of treatment;
  • The nature of the treatment;
  • The purpose of the processing;
  • The type of personal data used;
  • Categories of people involved;
  • The obligations and rights of the data controller.

This act must also specify that the subcontractor does not process personal data only upon documented instruction from the responsible for the processing, that it ensures that the persons authorized to process personal data undertake to respect the confidentiality, that it complies with the conditions for recruiting another processor, that it takes into account the nature of the processing and that it assists the controller in fulfilling its obligation to respond to requests from data subjects.

GDPR focus

In order to ensure that the requirements of this Regulation are met in the context of processing carried out by a processor on behalf of the controller, where the controller entrusts processing activities to a processor, the controller should only use processors providing sufficient guarantees, in particular in terms of expertise, reliability and resources, for the implementation of technical and organisational measures that will meet the requirements of this Regulation, including security of processing. A processor’s application of an approved code of conduct or certification scheme may be used to demonstrate compliance with the controller’s obligations.

Recital 81 of the GDPR

Case law focus 

The CNIL points out that “Article 28 of the GDPR provides various concrete guarantees in terms of data protection, for example by providing for the implementation of security measures or the assistance that must be provided by the processor to the data controller in exercising its rights.

CNIL, July 16, 2021, N° SAN-2021-012

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.