A sub-processor is a third party that processes personal data on behalf of your direct vendor. If you use a customer support platform, that platform is your processor. The cloud provider hosting that platform is a sub-processor. The email delivery service it uses to send notifications is another sub-processor. The AI inference service answering customer questions is another.
GDPR Article 28 requires processors to disclose sub-processors by name, with their purpose and location, and to give controllers (you) the right to object to changes.
Why sub-processors matter
A vendor can have perfect security on its own systems and still leak data through a sub-processor. The cloud host, the email provider, the analytics tool: each one is a possible exposure point. Knowing the list tells you how much of your data is travelling and to where.
It also matters for residency. A vendor might host primary systems in the EU but use a US-based sub-processor for, say, transactional email. Personal data then crosses the Atlantic every time a customer gets a notification. For some buyers, that is fine. For others, it is a problem.
What a good sub-processor list looks like
A good list has three columns: company name, purpose, and location. Optional fourth column: any relevant certifications (ISO 27001, SOC 2). It is kept on a public page, updated when new sub-processors are added, and changes are announced in advance with the opportunity to object.
A vague list that says "we may use various third-party services" is not compliant. A list that names companies but does not say what they do or where they operate is not enough. A list that names AI providers but coyly refuses to say "AI inference" as the purpose is suspect.
The notification right
When a vendor adds or changes a sub-processor, GDPR says they must give controllers prior notice and a chance to object. In practice, most vendors give thirty days notice and reserve the right to proceed with the change unless the controller terminates the contract. This is legal as long as the contract spells it out.
For most SMB buyers, the notification mechanism is more theoretical than practical. Few SMBs read every sub-processor email. But the right exists and the disclosure must too.
In Keloa
In Keloa, the sub-processor list is public, names every party that touches your data, states the purpose and location, and is referenced in the DPA. Changes are announced before they take effect. See security and data residency for the broader picture.