Article 28(2) and (4) of the GDPR directly deal with the situation where a processor engages “another processor,” which can be called a “sub-processor” or a “level 2 processor”.
Under the GDPR, the controller must give its prior written authorization when its processor intends to entrust all or part of the tasks assigned to it to a sub-processor.
Even after having obtained the controller’s formal authorization, the processor remains fully liable to the controller for the performance of the sub-processor’s obligations. In case of cascading subcontracting, these obligations will be passed down to the other sub-processors (level 3 processor and so on).
Below is a list of Eyvo’s sub-processors as defined by the GDPR.
|Amazon Web Services||Eyvo.com website host||Name,email||USA|
|ClickUp||Project Management||Name,email, phone||USA|
|Microsoft||Infrastructure provision and Software development||N/A||USA, Europe|
|Xero||Financial Analysis||Name, email||USA|