Subcontracting refers to the processing of personal data carried out by a provider on the instructions of the data controller. The controller determines the purpose and the essential means, while the provider only chooses the non-essential means. There is subcontracting only if the provider has no own purposes and if the processing is a central element of the service.
***
1. Definition of roles
Organisations often collaborate with external providers processing personal data. The correct qualification — subcontractor, joint controllers or independent controller — determines the obligations, documentation, and liability.
2. Key element: the power of instruction
There is subcontracting when the provider is subject to the instructions of the data controller and does not act for its own purposes. The controller determines the purpose and the essential means of the processing.
3. Indicators of subcontracting
‘operational extension’ role
detailed instructions
support function
no decision on the nature or quantity of the data
absence of own interest
systematic access to the data
4. When it is not subcontracting
There is no subcontracting when the provider has its own legal basis (lawyers, accountants), pursues its own purposes, or when the processing is merely a secondary effect of the service.
5. Main activity as an indicator
If data processing is the central element of the service (hosting, cloud services), this generally indicates subcontracting.
***
A qualification correct between subcontracting, joint liability and autonomous liability is essential to ensure compliance, reduce risks, and structure contractual obligations. To facilitate analysis, we recommend using the decision logic and the checklist below as a starting point before any in-depth legal assessment.