Third party that a vendor uses to deliver their service and that therefore also handles your data. Examples: cloud providers, LLM APIs, transcription services. Vendors must disclose them under GDPR and request permission before adding new ones.
Definition: Third party that a vendor uses to deliver their service and that therefore also handles your data. Examples: cloud providers, LLM APIs, transcription services. Vendors must disclose them under GDPR and request permission before adding new ones.
A sub-processor is any third party your vendor passes data to in order to deliver their service. A research analytics platform might use AWS for hosting, OpenAI for analysis, and a transcription service for audio. Each is a sub-processor; each touches your participant data; each carries GDPR obligations.
Under GDPR, vendors must maintain a current sub-processor list, make it accessible to customers, and notify customers before adding new ones. The customer typically has a right to object to new sub-processors and exit the contract if the addition is unacceptable.
For UX research, scan the sub-processor list before signing. Two warning signs: sub-processors outside the EU/EEA without adequate transfer safeguards, and AI-model providers known for using customer data in training. Either turns your tool choice into a privacy decision.
EU regulation governing how personal data is collected, stored, processed, and shared. In force since May 2018. Applies to any organization handling EU residents' personal data, regardless of where the organization is based.
Contract between a data controller (the research team or commissioning organization) and a data processor (a vendor handling data on their behalf) defining what the processor may do with the data. Mandatory under GDPR Article 28.
This term is referenced in the following articles: