The controller is obliged, beyond the direct control of the processor, to also contractually secure and verify the subcontractors used by the processor (Art. 18 (3) (d)). Corresponding documents must be submitted within the scope of an audit by the processor who uses further subcontractors.
In addition, it must be ensured that the controller can, if necessary, also fulfil his control obligations with on-site controls at the subcontractor. Corresponding contractual safeguards must be provided by the processor.
The processor is established within the EU, the subcontractors in third countries
A frequently occurring case is the constellation in which a processor is based in the EU, but the subcontractors are located in third countries. It is not uncommon for contracts for commissioned processing in such cases to contain significant regulatory gaps, often to the disadvantage of the controller. The latter initially bears the full risk under data protection law, provided it has contractually agreed to this.
Within the framework of an audit, it is sometimes possible to achieve significant improvements and, for example, to find better solutions through technical and organisational measures.
In general, the same regulations apply to the use of subcontractors as to processors. The assured level of data protection and data security may not be undercut even when using subcontractors.
You can find more information on third country transfers here.