GDPR Art. 13(1)(e) requires controllers to name the recipients or categories of recipients of personal data at the point of collection. Art. 28(3) requires that processor contracts specify which subprocessors are authorized. A privacy policy that says 'we share data with trusted third-party service providers' names nobody and satisfies neither requirement. Users cannot exercise their rights intelligently — including objecting to specific processing — if they do not know which companies receive their data. Regulators have issued guidance specifically requiring named subprocessors, not category descriptions, for transparency obligations to be met.
Low because the missing list is a transparency and documentation failure under Arts. 13 and 28 rather than an active harm — but it is independently sanctionable and blocks meaningful exercise of user rights.
Add a named subprocessor table to your privacy policy, listing every service that receives personal data with its purpose, data shared, location, and transfer mechanism.
## Our Subprocessors
| Service | Purpose | Data Shared | Location |
|------------------|--------------------------|------------------------------|-------------|
| Stripe | Payment processing | Billing address, email | US (SCCs) |
| Resend | Transactional email | Email address, name | US (SCCs) |
| Google Analytics | Usage analytics | Pseudonymous ID, events | US (SCCs) |
| Sentry | Error monitoring | Error context, user ID | US (SCCs) |
| Vercel | Application hosting | Request logs, IP (ephemeral) | US/EU (SCCs)|
| Supabase | Database hosting | All stored personal data | EU region |
Update this table within 30 days of adding or removing a subprocessor. Notify existing customers of material changes in advance. Cross-reference the list against your codebase integrations quarterly to catch drift.
ID: gdpr-readiness.data-processing.sub-processor-list
Severity: low
What to look for: GDPR requires that data controllers inform data subjects of the third parties (subprocessors) to whom their data is disclosed. Check whether the privacy policy contains a list of the main third-party services that process personal data, what data each receives, and for what purpose. Common omissions: error tracking services (Sentry), CDN providers (Cloudflare), infrastructure providers (AWS, Vercel) are often forgotten alongside the obvious ones (Stripe, analytics). Check whether the subprocessor list is reasonably current — does it include services that are actually integrated in the codebase? Cross-reference the code with what is listed. Count all instances found and enumerate each.
Pass criteria: A subprocessor list exists in the privacy policy or as a dedicated page linked from the privacy policy. It includes all major services that process personal data, what data each receives, their location, and purpose. The list is reasonably current (matches the actual integrations in the codebase). At least 1 implementation must be confirmed.
Fail criteria: No subprocessor list anywhere. Privacy policy mentions data sharing in vague terms without identifying specific services. List is present but significantly incomplete or outdated.
Skip (N/A) when: Application uses no third-party processors that access personal data.
Detail on fail: Example: "Privacy policy does not name specific subprocessors. References only 'third-party service providers' without identifying them." or "Subprocessor list exists but omits Sentry and Vercel which both process request data including IP addresses.".
Remediation: Maintain a subprocessor list in your privacy policy or as a dedicated linked page:
## Our Subprocessors
| Service | Purpose | Data Shared | Location |
|------------------|-----------------------------|-----------------------------|---------------|
| Stripe | Payment processing | Billing address | US (SCCs) |
| SendGrid | Transactional email | Email address, name | US (SCCs) |
| Google Analytics | Usage analytics | Pseudonymous ID, events | US (SCCs) |
| Sentry | Error monitoring | Error context, user ID | US (SCCs) |
| Vercel | Application hosting | Request logs, IP (ephemeral)| US/EU (SCCs) |
| Supabase | Database hosting | All stored personal data | EU region |
| Clerk / Auth0 | Authentication | Email, name, session data | US (SCCs) |
We update this list when we add or remove subprocessors. Existing customers will be
notified of material changes via email 30 days in advance.