What is a “live sub-processor list”? Do we need one?

AI & Data
Written By Shayne Adler

It’s a public, always-current page listing vendors your processor uses to handle customer data. It supports GDPR Art. 28 duties (pre-authorization and change notices) and reduces procurement friction.

GDPR requires processors to get a controller’s specific or general written authorization before using sub-processors and to inform controllers of changes so they can object. A “live sub-processor list” is a simple way to meet that expectation: publish the current vendor list, describe the service, the data handled, hosting region, and a change-notification mechanism (email or RSS). It isn’t a defined legal term in GDPR, but it’s a widely adopted transparency pattern that operationalizes Article 28(2)/(4). Practically, it speeds up DPAs, builds trust, and saves your team from one-off updates in security questionnaires. Keep it accurate, give notice windows (e.g., 30 days), and archive changes for audit.

Highlights

  • Article 28 requires authorisation and notice for sub-processors.

  • A live list + change notices = low-friction compliance.

  • Include vendor name, purpose, data types, region, and notice mechanism. gdpr.org

How to apply

Stand up a table on your website and “subscribe for changes,” add it to your DPA, and route updates through Ops monthly.

Sources

GDPR Art. 28; ICO guidance on processors and sub-processors.

Shayne Adler
Next

EU/UK Representative vs DPO: what’s the difference?