All DPA clauses

GDPR DPA clause · high

Subprocessor Authorization and Flow-down

The clause governing subprocessors — requiring the controller’s prior authorization and contractually passing the same data-protection duties down the chain.

What the clause requires

Use of subprocessors must require prior authorization and impose the same data-protection obligations by contract.

Why a GDPR DPA needs it

Article 28(2) and 28(4) require authorization for subprocessors and equivalent obligations on them. Without flow-down, data can reach fourth parties with weaker safeguards.

Risk if it is missing

Personal data may be passed to subprocessors without equivalent safeguards or controller consent.

Free · nothing leaves your browser

Check your DPA against all 10 clauses

Answer 10 quick questions — checked in your browser, no upload. To review the actual wording, the desktop app reads your DPA on your machine and never sends it anywhere.

Run the free DPA check

This page explains a common Data Processing Agreement clause for general information. It is not legal advice. Have a qualified professional review anything that matters.