The subprocessor compliance blog
Guides, playbooks, and templates for processors navigating GDPR Article 28.
GDPR Article 28: subprocessor obligations explained
A plain-language guide to GDPR Article 28 — the eight 28(3) obligations, prior authorisation, controller notification, objection rights, and the records processors must keep.
Read articleHow to notify controllers of a subprocessor change
Step-by-step process for notifying controllers when your subprocessor list changes — identifying affected customers, notice periods, contacts, and capturing evidence.
12 May 2026 · 6 min readTemplateSubprocessor change notification email template
A ready-to-use notification email template for informing controllers of a subprocessor change — the change, effective date, objection window, and where to find the current list.
4 May 2026 · 4 min readGuideHow to build a subprocessor list page customers actually trust
Why a static subprocessor list page damages trust in procurement — and what a live, scoped subprocessor list looks like instead.
22 April 2026 · 5 min readTemplateFree GDPR subprocessor list template
A free template for building your GDPR subprocessor list. Covers subprocessor name, processing purpose, data categories, location, transfer mechanism, and date added.
26 May 2026 · 3 min readTemplateVendor DPA review checklist (template)
The terms to check in a vendor's data processing agreement before you onboard them as a subprocessor.
18 May 2026 · 5 min readGuideSubprocessor examples — what counts as a subprocessor?
Common examples of subprocessors in B2B SaaS: cloud infrastructure, email delivery, analytics, payment processors, CRMs, and more — and when a vendor is a processor vs a subprocessor.
28 May 2026 · 6 min readGuideWhat is a data processing agreement (DPA)?
A data processing agreement (DPA) is a contract required by GDPR Article 28 between a controller and processor. Here's what it must include and how to use one.
30 May 2026 · 7 min read