It’s very clear that there are no SCCs to support Processor to Sub-Processor relationships. How does your organisation deal with this challenge when a Sub-processor is being engaged and used overseas requiring SCCs for compliance with GDPR?
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Unfortunately very unhelpful, but we had a set drawn up by external counsel. In retrospect, they could probably be drawn up by most privacy pros with a bit of time as it’s two/three pages max.
Alternatively, if the sub-processor is regularly a sub-processor, it might be worth asking if they have their own standard set. As long as they accurately reflect you passing down all your obligations, there might not be a problem?