Sub-processors in analytics
A sub-processor is a third party that your analytics processor engages to carry out part of the processing — for example cloud hosting, a CDN, or customer support tooling. Under the GDPR, a processor may only engage a sub-processor with the controller's authorisation and must flow down equivalent data-protection obligations by contract. Knowing your provider's sub-processor list is part of due diligence. This page is educational, not legal advice.
What sub-processors are
When you (the controller) use an analytics service (the processor), that service often relies on its own vendors to deliver the product — infrastructure providers, content-delivery networks, error-monitoring tools, or support platforms. Those vendors are sub-processors. GDPR Article 28 requires that the processor not engage a sub-processor without the controller's prior specific or general written authorisation, and that the same data-protection obligations flow down to the sub-processor by contract.
Why they matter for analytics
Sub-processors determine the real geography and security posture of your data: an analytics tool 'hosted in the EU' may still rely on a sub-processor that triggers a transfer. A published sub-processor list, with a mechanism to notify and object to changes, lets controllers assess transfers and security before they happen. The processor remains liable to you for its sub-processors' performance. During vendor selection, review the list, the change-notification terms, and where each sub-processor operates.
Fewer sub-processors generally means a simpler diligence picture.
- Processor needs controller authorisation to add sub-processors
- Equivalent data-protection obligations must flow down
- Sub-processor location can drive transfer analysis
How it appears in analytics and logs
If your analytics vendor uses a cloud host or CDN you did not account for, those are sub-processors; they shape your transfer and due-diligence picture.
Diagnostic use case
Identify which downstream vendors your analytics provider relies on, since sub-processors inherit obligations and can affect where data is hosted.
What WebmasterID can help detect
WebmasterID's minimised model limits what any sub-processor could touch; a short, disclosed sub-processor chain supports controller due diligence.
Common mistakes
- Assessing a vendor without reviewing its sub-processor list.
- Ignoring sub-processor changes that move data abroad.
- Assuming the processor is not liable for its sub-processors.
Privacy and accuracy notes
This page is educational, not legal advice. Each sub-processor expands the chain of parties touching data, so each should inherit equivalent obligations.
Related pages
- Data processing agreements and analytics vendors
When you use a third-party analytics provider, they typically act as a processor handling personal data on your behalf. GDPR Article 28 requires a written data processing agreement (DPA) setting out the subject matter, duration, instructions, confidentiality, security, sub-processing, and deletion terms. No DPA with a processor is itself a compliance gap. This is an educational overview, not legal advice.
- Vendor risk assessment for analytics
Vendor (or third-party) risk assessment is the due-diligence process of evaluating a processor before and during the relationship: what data it handles, where it stores and transfers it, who its sub-processors are, its security posture, and its contractual terms. Under the GDPR, controllers must use only processors providing sufficient guarantees — so assessing an analytics vendor is an accountability step, not optional. This is educational, not legal advice.
- Cross-border data transfers in analytics
The GDPR restricts transfers of personal data outside the EU/EEA unless a valid mechanism applies — an adequacy decision, Standard Contractual Clauses, or another safeguard. Analytics that ships data to servers abroad therefore raises a transfer question, made sharper by case law on access by foreign authorities. Keeping data in-region or minimising it reduces the issue. This is educational, not legal advice.
- Privacy-first analytics
A minimised model limits what any sub-processor can touch.
Sources and verification notes
- EUR-Lex — GDPR Article 28 (processor and sub-processor obligations)Primary text on sub-processor authorisation and flow-down. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.