How to notify controllers of a subprocessor change

Notifying controllers of a subprocessor change is a multi-step process governed by GDPR Article 28(2) and the specific DPA terms signed with each controller. Failure to notify properly can trigger controller objections, contract disputes, and regulatory scrutiny. Here is the step-by-step approach.

Step 1: Identify affected controllers. When you add or replace a subprocessor, you must notify every controller whose data could be processed by that subprocessor. Start by mapping which controllers have data flowing through the impacted processing activity. A blanket 'notify everyone' send is often wrong: it creates noise for unaffected customers and obscures who genuinely needed to know.

Step 2: Check the notice period in each DPA. Most DPAs specify a notice period—typically 10, 14, or 30 days—during which the controller must be informed before the subprocessor begins processing data. Some DPAs give the controller the right to object within that window; others require only notification. Periods vary by customer, and you must respect each one independently.

Step 3: Reach the right contacts. Locate the correct notification contact for each controller—often a data protection officer, privacy lead, or legal contact named in the DPA. Sending to a general account contact instead of the named privacy contact is a common failure point, and stale distribution lists cause missed notices.

Step 4: Send the notification and record it. State the new subprocessor, its purpose, the data it will process, the effective date, the objection deadline, and how to object. Send via a recorded method and log the send—timestamp, recipient, and delivery status—so you can prove the notice went out.

Step 5: Manage the objection window. During the notice period, monitor for objections. If a controller objects on reasonable grounds (for example, an inadequate security posture or an unfavourable transfer jurisdiction), engage to find a solution before engaging the subprocessor—additional security commitments, a different transfer mechanism, or an alternative vendor.

Step 6: Update your subprocessor list. Once the notice period has elapsed without a valid objection, update your live subprocessor list to reflect the change and confirm to affected controllers that it has taken effect. Throughout, keep documentation of when each controller was notified, the period offered, objections received, and how they were resolved—this is your evidence of Article 28(2) compliance.