GDPR DPA clause · high
Subprocessor Authorization and Flow-down
The clause governing subprocessors — requiring the controller’s prior authorization and contractually passing the same data-protection duties down the chain.
What the clause requires
Use of subprocessors must require prior authorization and impose the same data-protection obligations by contract.
Why a GDPR DPA needs it
Article 28(2) and 28(4) require authorization for subprocessors and equivalent obligations on them. Without flow-down, data can reach fourth parties with weaker safeguards.
Risk if it is missing
Personal data may be passed to subprocessors without equivalent safeguards or controller consent.
Free · nothing leaves your browser
Check your DPA against all 10 clauses
Answer 10 quick questions — checked in your browser, no upload. To review the actual wording, the desktop app reads your DPA on your machine and never sends it anywhere.
Run the free DPA checkThis page explains a common Data Processing Agreement clause for general information. It is not legal advice. Have a qualified professional review anything that matters.