Sub-Processor
Also known as: Sub-Operator, Sub-Processor.
What is Sub-Processor?
A sub-processor is a third party engaged by an operator to assist with processing personal information under an operator agreement — for example a cloud hosting provider sitting behind a SaaS vendor. POPIA treats sub-processors as operators, requiring the primary operator to flow down section 21 obligations and obtain the responsible party's authorisation.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Although POPIA does not use the term "sub-processor", the concept flows from section 20(b), which requires an operator to process personal information only with the knowledge or authorisation of the responsible party. An operator that engages a third party to perform part of the processing is delegating authority that the responsible party granted. The Information Regulator\'s 2021 Guidance Note confirms that such third parties are themselves operators, and that the primary operator must flow down section 21 security and confidentiality obligations in a written sub-operator agreement.
Typical sub-processors include: infrastructure-as-a-service providers (AWS, Azure, Google Cloud), email delivery services (SendGrid, Mailgun), payment processors, analytics vendors, customer-support chat tools and offshore development teams. Each often sits outside South Africa, engaging section 72 of POPIA (cross-border transfer) in addition to sections 20 and 21. The contract chain must therefore support (i) data-subject rights downstream, (ii) breach notification up the chain, and (iii) the responsible party\'s right to withdraw consent to a specific sub-processor.
Best-practice operator agreements set out a list of approved sub-processors on a webpage, require 30 days\' notice of new sub-processors, give the responsible party an objection right (usually termination of the relevant service if unresolved), and require contractual flow-down of all material POPIA obligations — including cross-border transfer safeguards, breach notification, deletion on termination and audit cooperation. Failure to flow through results in joint and several liability up the chain in terms of section 99.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 19, 20, 21, 22, 72, 99
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
What is a sub-processor under POPIA?
A sub-processor is a third party engaged by an operator to assist with processing personal information on behalf of the responsible party. Although POPIA does not name sub-processors, the Information Regulator treats them as operators in their own right and requires flow-down of section 21 duties.
Does an operator need consent to engage a sub-processor?
Yes. Section 20(b) requires the operator to process only with the knowledge or authorisation of the responsible party. Delegating any part of the processing to another party requires express or general consent, usually via a list of approved sub-processors with a change-notification mechanism.
How must an operator contract with a sub-processor?
The same terms that apply between the responsible party and the operator under section 21 must be flowed down in writing to the sub-processor — security, confidentiality, breach notification, sub-processor consent, data-subject cooperation and termination deletion. The operator remains liable to the responsible party for the sub-processor's acts.
What if a sub-processor is based offshore?
Cross-border transfer is regulated by section 72 of POPIA. The responsible party must ensure one of the five lawful bases is met — including adequate law, binding corporate rules, operator agreement that provides equivalent protection, data subject consent, or necessity for contract performance. Flow-down in the sub-processor contract is essential.
Contract templates using this term
4 templates reference Sub-Processor.