GDPR and subcontracting: How to comply?

GDPR and subcontracting
Matthieu Duault

Matthieu Duault

Brand Manager @Yousign

Illustration: Léa Coiffey

You have been hearing for months now about GDPR, its constraints, its advantages and you remember the long procedures you had to put in place to make sure you were in compliance with these new personal data protection regulations.

All companies are concerned at some point, whether in their core business or in their marketing and communication activities. Each database needs to be processed. If the task may have seemed complex or even particularly difficult to you, it also gave everyone the opportunity to review their data collection policy, to clean up their databases and to ensure that they could be legally processed.

One of the main objectives of GDPR is to be able to accurately trace data flows and the way in which they go from one structure to another. The difficulty will therefore lie in the particularly frequent cases of subcontracting. How then to combine compliance with GDPR on the one hand, and subcontracting on the other ?

As (customer) data controller, you are responsible for ensuring that your subcontractors handling personal data comply with GDPR. If this is not the case, you will be held responsible for it.

As a subcontractor, it is therefore strongly advised to take the lead and inform your client of your compliance. Your customer must be informed and in agreement with your new personal data management policy. An amendment to your contract will therefore have to be submitted to them in order to validate these changes.

Some questions will then come up:

  • How can I make sure that my customers have correctly entered and validated the changes made to our processing of personal data?
  • How can I manage, automate and control sending amendments to my entire customer portfolio?
  • Where and how to store proof of their consent?

What is a processor?

According to the CNIL and in the context of the application of GDPR, you are considered as a processor if "you process personal data on behalf of, on instructions from and under the authority of a controller".

As soon as you are responsible for managing, storing, processing all or part of certain personal data on behalf of your customers, you are a subcontractor. This therefore comprises but is not limited to: a large majority of IT and digital service providers such as Yousign, communication agencies, marketing services or human resources companies, but also a few nonprofit or public bodies which may process personal data on behalf of other structures.

As a reminder, in the context of the processing of a specific data flow, the processor and the controller are two separate legal entities.

According to Article 4-7 of the General Data Protection Regulation, the processor is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."

The processor is the natural or legal person who will process this data at the request and on behalf of the controller.

For example, you have a database of prospects that you wish to contact via targeted marketing campaigns. To do this, you call on a web marketing service provider.

The webmarketing company will process the data that you have sent them and will therefore have the status of a subcontractor. You will have the status of data controller.

Let's now imagine that this webmarketing company outsources part of its HR activities (payroll, social declarations, etc.). It is, in this context, responsible for the processing of its personnel data. The HR service provider will therefore be an outsourcer.

It is therefore highly likely that you will find yourself both as a processor for your customers and as the controller of certain data processing operations, whether or not you have processors yourself. The best way to clearly visualise these data flows is to draw up an internal diagram identifying, for each of them, the subcontractors and data controllers.

Processors' requirements in GDPR

GDPR has extended the processor's responsibilities with regard to the personal data it processes on behalf of the Data Controller. While the latter is always on the front line with regard to the control of data flows and their processing, the processor is not to be outdone. According to the CNIL, its obligations can be broken down into four main areas.

A Transparency and traceability obligation

The relationship you have with your customer must be perfectly transparent. It is highly recommended that you contractually define the obligations of each party as well as the general scope of your mission. The advantage is to have a written document listing the actions you can take on the data transmitted by your client or managed on his behalf.

You must also make sure that you have your client's explicit consent if you also use a sub-contractor who will have access to all or part of the data that you process and for which the client is responsible.

"The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."

General Data Protection Regulation, Article 28-2

Consideration of data protection principles by design and by default

All of your tools and services must comply with the general regulations on data protection.

In addition, you must guarantee that only the data necessary for your task is stored and processed only by authorised personnel.

Obligation to guarantee the security of data processed

You must be able to guarantee your customer that the data they entrust to you is secure. All of your staff who process this data must therefore be subject to an obligation of confidentiality with regard to the information.

You will also be required to delete and/or transfer this data to your client at the end of your service and as requested by your clients, unless you are required by law to retain it. This is the case, for example, with billing processes, or, as Yousign does, with the records of evidence related to each of the signatures processed in its application.

An assistance, alert, and advice obligation

Being in charge of data processing on behalf of the data controller, you must be able to accompany your client and advise them on the correct use of the processed information . It is also your responsibility to alert them when there is a risk to the data or its processing.

You are thus under the obligation to warn your client when one of the requests they make in the context of your mission violates one of the rules of GDPR.

The General Data Protection Regulation also requires the processor to make every effort to ensure that the controller can respond to requests from people who wish to exercise their rights in terms of personal data protection (access, portability, right to be forgotten, etc.) and to alert them in the event of a security breach.

How to set up a reliable and secure procedure for changing privacy rules?

This new regulation entails new responsibilities for both data controllers and subcontractors, as well as the implementation of new processes for the collection, processing and protection of personal data.

Over the last few months, you, as a professional or private individual, have received a myriad of emails and notifications inviting you to consult and validate the new general conditions for the protection of personal data for your applications, subcontractors, social networks, e-commerce, etc.

All companies managing data had to comply with the exercise.

As a processor and in order to be in full compliance with GDPR, you must ensure that all of your clients have received, consulted and validated these new rules in full knowledge of the facts. This necessarily implies more or less important changes in the terms of the contract you have signed with your client. It is therefore necessary, in order to scrupulously follow the rules, to sign an amendment to your initial contract, new GSCs or even a new contract.

Once this document has been drawn up, you will need to send it to all your clients, follow up on each of the procedures and ensure that it has been signed by a decision-maker or someone with delegated signing authority.

The electronic signature can greatly facilitate the implementation of this procedure. An application such as Yousign will enable you to better manage the mass emails to your customers for contracts amendments in order to ensure the follow-up of signature procedures and to quickly identify problem areas by exchanging directly on the document with your customers.

Finally, an evidence file is created and kept for 10 years. This process is inhrent to any procedure and will represent irrefutable proof of your clients' agreement to these new terms and conditions.


If many organisations today simply tick a box stating that you have entered their new data protection policy correctly, the viability of this approach could be questioned. Won't the new Genreral Data Protection Regulation eventually require a signature on the GSCs to ensure that they are effectively understood and validated by customers and users alike?

Try the electronic signature for free!

electronic signature free trial electronic signature free trial