We use an IT service provider X (they are our data processors). Provider X sub-contracts out to Company Y. We pay Provider X for the services of Company Y. Does that mean we need a data processor agreement only with Provder X or also with Company Y ? Our IT Service Provider X has said that we must sign a separate agreement with company Y (also they haven't listed Company Y on DPA as sub-processors) .Should we have a signed agreement with Provider X sub-contractor Y ?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Andrei Hanganu
May 07, 2018
Answer:
Company Y is clearly acting as a sub-processor of company X, thus, company Y and company X need to have a DPA among themselves. I definitely not you who needs to sign a DPA with company Y unless you contract directly a service from them.
To find out more about sub processors you can also check out our free course “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
May 07, 2018
May 07, 2018
May 07, 2018