GDPR Subcontractor: Why Evaluating Your Service Providers Has Become a Vital Issue for Your Business
Outsourcing the processing of its data to a service provider never absolves the company of its responsibilities. Since 2021, the CNIL has increased sanctions against organizations that had not properly assessed or regulated their GDPR subcontractor €1 million against Mobius Solutions in December 2025, €1.5 million against Dedalus Biologie, €600,000 against Canal+ Group, €800,000 against Discord. The message is clear: outsource the processing of personal data is not delegating compliance.
For managers, the issue has shifted from legal matters to risk management. Evaluating service providers, formalizing the GDPR subcontracting agreementMonitoring the chain over time: these are legal obligations whose non-compliance is costly.
Understanding the role of the GDPR subcontractor and their obligations
Who is a subcontractor within the meaning of the GDPR?
The GDPR defines a data processor as any natural or legal person who processes personal data on behalf of data controllerAs soon as a service provider accesses, hosts, analyzes or stores personal data that you entrust to him, he is a subcontractor: cloud hosts, SaaS publishers, payroll providers, marketing agencies, call centers, CRM, email providers, IT maintenance companies.
The border with the status of data controller is not always obvious. A service provider who decides on the purpose or means of data processing moves into a higher category and then bears full responsibility. This is precisely the trap into which Mobius Solutions Ltd fell, fined one million euros by the CNIL in December 2025 for reusing Deezer data to improve its own services, without any instruction from its client.
The subcontractor's obligations as outlined in Article 28
Article 28 of the GDPR specifically lists the obligations of the subcontractor : act only on documented instructions, guarantee the confidentiality of authorized personnel, implement appropriate technical and organizational security measures, assist the data controller in managing individuals' rights and reporting violations, deleting or returning data at the end of the service, and maintaining a processing activities register specific to its activity.
This last obligation is often overlooked. However, the CNIL (French Data Protection Authority) has cited it in several recent sanctions, including the Mobius Solutions case. Failing to keep a register means depriving oneself of the main proof of compliance in the event of an audit.
Cascading subcontracting: prior authorization is mandatory
A subcontractor may only engage a subsequent subcontractor ("cascade") with prior written authorization, specific or general, from the data controllerIn the case of general authorization, the provider must inform the client of any changes to allow them to object. A SaaS provider that relies on a cloud hosting provider, which itself uses a monitoring sub-provider, must be able to document each link in the chain.
The obligation to evaluate subcontractors: a duty too often neglected
An explicit and structuring obligation of the GDPR
Article 28, paragraph 1 of the GDPR is unambiguous: the data controller "Only uses subcontractors who offer sufficient guarantees." This is not a recommendation, it is a positive obligation. Before entering into a contract, the manager must ensure that their service provider has the skills, procedures, and organization to process data in accordance with the regulation.
This implies a formalized evaluation procedure: criteria grid, compliance questionnaire, request for supporting documents (security policy, certifications, DPA, register, designation of a DPO), analysis of subsequent subcontractors, verification of server location and any potential data transfers outside the EU. This assessment must be tracked and kept — without it, the manager will not be able to demonstrate either his diligence or his compliance with the principle of accountability.
CNIL sanctions that should alert managers
In 2024, the CNIL It issued 87 sanctions totaling over 55 million euros. Several recent cases show that evaluating and regulating its service providers has become a key area of control.
The Dedalus Biologie case (April 2022, €1.5 million) remains emblematic. CNIL The French Competition Authority sanctioned this software publisher for medical laboratories following a massive data breach involving health information. Beyond the security flaw, the absence of mandatory clauses from Article 28 in its standard contracts was the primary reason given. This decision marked a turning point: a subcontractor can now be directly penalized for failing to properly formalize the relationship, regardless of the client's responsibility.
The Mobius Solutions Ltd / Deezer case (December 2025, 1 million euros) illustrates the most frequent shortcomings: data retention beyond the end of the contract, processing outside of the client's instructions, lack of register, lack of security measures which led to the publication of the data of several million users on the darknet.
The Discord case (2022, €800,000) is resulting in sanctions on the side of the data controller the absence of a contract compliant with Article 28. Canal+ Group, fined €600,000 in 2022, was penalized in particular for the lack of sufficient contractual agreements. As of January 27, 2021, the CNIL inaugurated his doctrine by simultaneously sanctioning a data controller (€150,000) and its subcontractor (€75,000) for failure to take measures against credential stuffing.
What the CNIL examines in its audits
As decisions are made, the control grid of the CNIL The details have become clearer. The authority is verifying the existence of a GDPR subcontracting agreement written and compliant with Article 28, the documentation of instructions, the up-to-date list of subsequent subcontractors, the technical and organizational measures actually implemented, the notification procedures for a data breach, the arrangements for assisting individuals with their rights, the conditions for ending the contract and the traceability of audits carried out.
To prepare your organization for these checkpoints, our A complete guide to GDPR compliance audits details the methodology to be applied.
Do you want to secure your subcontracting chain and demonstrate your compliance?
Building a solid contractual framework: the GDPR subcontracting agreement
The mandatory clauses of Article 28, paragraph 3
The DPA (Data Processing Agreement), Or GDPR subcontracting agreementmust include a core set of clauses mandated by the regulation: subject matter and duration of processing, nature and purpose, type of data and categories of persons, obligations and rights of the data controllerIt must also include eight specific commitments from the subcontractor: to act on documented instructions, to guarantee confidentiality, to take the required security measures, to engage subsequent subcontractors only with authorization, to help respond to requests from individuals, to assist in matters of security and notification, to return or delete data at the end of the contract, and to make available all the information necessary for audits.
A publisher's standard terms and conditions are generally insufficient, such as the CNIL Dedalus and several other service providers, who have since been sanctioned, were criticized for this. A contract-by-contract review is essential.
Pitfalls to avoid in writing
Several errors regularly undermine compliance. A clause totally exempting the subcontractor from liability is unenforceable against the CNIL as to the victim of a leak. A missing or outdated list of subsequent subcontractors exposes the data controller to a failure. Vaguely described security measures are insufficient: the CNIL awaits a concrete, verifiable, dated reference document. The absence of a violation notification procedure, or deadlines incompatible with the 72 hours imposed on the data controller, is systematically retained against defaulting subcontractors.
The central role of the DPO and data governance
THE DPO The Data Protection Officer (DPO) plays a pivotal role: they lead the evaluation of service providers, validate contractual clauses, oversee the register of subcontractors, and alert management to risks. In the absence of DPOThese missions must be carried out by a clearly identified function. data governance largely relies on this ability to maintain the relationship with subcontractors over time.
Managing the relationship over time: audits, monitoring and incidents
A continuing obligation, not a signature formality
Putting it in a contract is not enough. data controller must ensure over time that its service provider respects its commitments: periodic audits, annual review of the DPA, systematic update in case of change (new subsequent subcontractor, new scope, new server location).
There CNIL is explicit: using a subcontractor never exempts the data controller of its duty of care. Canal+'s sanction was based precisely on the finding that effective oversight of service providers was not implemented. Conversely, a company capable of producing audit reports, completed questionnaires, and action plans demonstrates its diligence, even in the event of an incident.
THE Viqtor Subcontractors Module centralizes the evaluation, the contract, subsequent subcontractors, audits and the history of exchanges in a single repository.
Responding to a data breach involving a service provider
A significant proportion of the violations reported each year to the CNIL involves a subcontractor. data controller Therefore, a rapid alert system must be included in the contract from the outset. The subcontractor is required to inform their client "as soon as possible," which in practice means 24 to 48 hours to allow for notification within the legal 72-hour period. CNILOur page dedicated to the data breach statement He details the steps.
What you need to note
- Any service provider that deals with personal data for your account is a GDPR subcontractor, and engages your responsibility as well as his.
- Prior assessment of a subcontractor is an explicit obligation under Article 28 paragraph 1 of the GDPR, not a good practice.
- THE GDPR subcontracting agreement (DPA) must include all the mandatory clauses of Article 28; standard general terms and conditions are almost never sufficient.
- The sanctions CNIL Recent cases (Mobius €1M, Dedalus €1.5M, Canal+ €600k, Discord €800k) show that the authority sanctions both defaulting service providers and negligent clients.
- Compliance is proven through documentation: registers, audits, reports, action plans.
- A subcontracting relationship is managed over time, not just at the time of signing.
FAQ — GDPR Subcontractor
What are the obligations of a subcontractor under the GDPR?
The subcontractor must act only on documented instructions from the data controller, guarantee confidentiality, implement appropriate security measures, keep a record of its activities, assist its client in managing rights and violations, only use subsequent subcontractors with written authorization, and return or delete data at the end of the contract.
Can a subcontractor use another subcontractor (cascading subcontracting)?
Yes, with prior written authorization from the data controllerSpecific or general authorization. In the case of general authorization, the subcontractor must inform its client of any changes to allow the client to object. The initial subcontractor remains fully responsible for the performance of obligations by the subsequent subcontractor and must impose the same contractual obligations on it.
What penalties does a subcontractor face for non-compliance with the GDPR?
A subcontractor can be sanctioned by the CNIL up to €10 million or 2,140,000 of its annual worldwide turnover, whichever is higher. Mobius Solutions Ltd (€1 million in December 2025) and Dedalus Biologie (€1.5 million in April 2022) are recent examples. The subcontractor may also be held liable to the individuals concerned under Article 82.
What clauses should be included in a GDPR subcontracting agreement?
THE DPA It must describe the object, duration, nature and purpose of the processing, the categories of data and individuals, and incorporate the eight commitments of Article 28(3): documented instructions, confidentiality, security, oversight of subsequent sub-processors, assistance with the rights of individuals, assistance with notification, return or destruction of data at the end of the contract, and provision of information for audits. The list of subsequent sub-processors must be attached.
How to choose a GDPR-compliant subcontractor for an SME?
The evaluation is based on a few key criteria: the existence of a DPA compliant, presence of a DPOData location (preferably EU), security certifications (ISO 27001, HDS for healthcare), an up-to-date list of subsequent subcontractors, references, and incident history. A completed and retained formal compliance questionnaire serves as proof of your due diligence in the event of an audit.
What are the responsibilities of a cloud hosting provider as a GDPR subcontractor?
A cloud hosting provider that hosts personal data For a client, this is a subcontractor. The subcontractor must ensure security (encryption, access control, backups), inform the client in case of a breach, supervise subsequent subcontractors, enable data portability and effective deletion, and provide transparency regarding data location and transfers. For health data, specific certifications such as HDS are required.
Evaluating, supervising and managing your subcontractors is not something that can be improvised.
To learn more: find all our resources on GDPR compliance on the Viqtor platform.