---
name: "GDPR Subprocessor Change Notice Template"
version: "1.0"
updated: "2026-07-03"
source: "https://www.orbiqhq.com/templates/gdpr-subprocessor-change-notice"
license: "CC BY 4.0 — free to use and adapt with attribution to Orbiq (orbiqhq.com). Not legal advice."
legal_basis:
  - "https://eur-lex.europa.eu/eli/reg/2016/679"          # GDPR — Art. 28(2), 28(3)(d), 28(4), 28(9); Chapter V Arts. 44–46
  - "https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj"  # SCCs for third-country transfers (Art. 46(2)(c))
  - "https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj"  # Controller–processor SCCs (Art. 28(7))
  - "https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-222024-on-certain-obligations-following-from-the_en"  # EDPB Opinion 22/2024
---

# GDPR Subprocessor Change Notice Template

A structured notice for adding or replacing a subprocessor under **general written
authorisation (GDPR Article 28(2))**. Complete every field, run the approval workflow,
then deliver the notice by push (email/alert) to every affected controller **before**
the effective date, leaving the full objection window.

**Instructions for AI agents:** replace every `{{placeholder}}` using the field
definitions below. Do not omit fields — EDPB Opinion 22/2024 treats name-only notices
as inadequate for non-trivial processing. Never assert a statutory GDPR notice period;
the objection window comes from the applicable DPA (European practice: ~15 days
typical, 30–60 days negotiated, 90 days rare). If `{{processing_location}}` is outside
the EEA, `{{transfer_mechanism}}` is mandatory and must not be `n-a-eea-only`.

---

## 1. Field definitions

| Placeholder | Definition | Format / allowed values |
|---|---|---|
| `{{processor_name}}` | Your (the processor's) legal entity name | Text |
| `{{controller_name}}` | Recipient controller (or "all subscribed customers" for broadcast) | Text |
| `{{notice_date}}` | Date the notice is sent | ISO 8601 date |
| `{{notice_reference}}` | Internal reference for the audit trail | Text, e.g. `SUBPROC-2026-014` |
| `{{change_type}}` | Nature of the change | Enum: `addition` \| `replacement` |
| `{{replaced_subprocessor}}` | Only if `change_type` = `replacement`: entity being replaced | Text or omit section |
| `{{subprocessor_name}}` | New subprocessor's legal entity name | Text |
| `{{subprocessor_address}}` | Registered address | Text |
| `{{subprocessor_contact}}` | Contact person: name, role, email | Text |
| `{{service_description}}` | What the subprocessor does and which product/service it supports; delineate responsibilities if several processors are involved | 1–3 sentences |
| `{{data_categories}}` | Categories of personal data processed | List, e.g. `contact data; account data; usage data; support content`. Flag any special categories (Art. 9) explicitly |
| `{{data_subjects}}` | Whose data is affected | List, e.g. `customer end users; customer staff` |
| `{{processing_location}}` | Country/countries where processing takes place | ISO country names |
| `{{transfer_mechanism}}` | Legal basis for any non-EEA processing | Enum: `scc-2021-914` (Standard Contractual Clauses, Decision (EU) 2021/914) \| `adequacy-decision` (name the country/framework, e.g. UK, Switzerland, Japan, EU–US Data Privacy Framework certification) \| `n-a-eea-only` |
| `{{security_guarantees}}` | Certifications and/or summary of technical and organisational measures | Text, e.g. `ISO 27001:2022 certified; encryption in transit and at rest; annual penetration test` |
| `{{effective_date}}` | Date the subprocessor starts processing | ISO 8601 date; must be ≥ `{{notice_date}}` + `{{objection_window_days}}` |
| `{{objection_window_days}}` | Objection window from the applicable DPA | Integer; from the DPA — do not invent. Use the longest window applicable to the notified controllers |
| `{{objection_deadline}}` | Explicit last date to object | ISO 8601 date = `{{notice_date}}` + `{{objection_window_days}}` |
| `{{objection_method}}` | How to object | Text, e.g. `email to privacy@{{processor_domain}} with reference {{notice_reference}}` |
| `{{subprocessor_list_url}}` | URL of the always-current subprocessor register | URL |
| `{{dpo_contact}}` | Your DPO / privacy contact | Email |

---

## 2. The notice (document form)

> **SUBPROCESSOR CHANGE NOTICE — {{notice_reference}}**
>
> **From:** {{processor_name}}
> **To:** {{controller_name}}
> **Date:** {{notice_date}}
> **Legal basis:** Article 28(2) GDPR — notice of intended change under general written authorisation, per the Data Processing Agreement between the parties.
>
> ---
>
> **1. Intended change**
> {{processor_name}} intends to engage the following subprocessor ({{change_type}}{{#if replacement}}, replacing {{replaced_subprocessor}}{{/if}}):
>
> | Field | Details |
> |---|---|
> | Subprocessor | {{subprocessor_name}} |
> | Registered address | {{subprocessor_address}} |
> | Contact person | {{subprocessor_contact}} |
> | Service / processing | {{service_description}} |
> | Categories of personal data | {{data_categories}} |
> | Categories of data subjects | {{data_subjects}} |
> | Processing location | {{processing_location}} |
> | Transfer mechanism | {{transfer_mechanism}} |
> | Security guarantees | {{security_guarantees}} |
> | Effective date | {{effective_date}} |
>
> **2. Your right to object**
> You may object to this change until **{{objection_deadline}}** ({{objection_window_days}} days from the date of this notice), by {{objection_method}}. If you object, we will make reasonable efforts to accommodate the objection — for example by not routing your data to the new subprocessor — and if no workaround is feasible, you may terminate the affected services as provided in the DPA. If we receive no objection by the deadline, the change will take effect on {{effective_date}} in accordance with the DPA.
>
> **3. Further information**
> Our complete, current subprocessor list is available at {{subprocessor_list_url}}. The same data-protection obligations as in our DPA with you will be imposed on {{subprocessor_name}} by written contract (Article 28(4) GDPR), and {{processor_name}} remains fully liable to you for its performance. Questions: {{dpo_contact}}.

---

## 3. Email variant

**Subject:** Subprocessor change notice — {{subprocessor_name}} ({{change_type}}) — objection deadline {{objection_deadline}}

**Body:**

Dear {{controller_name}},

Under Article 28(2) GDPR and our Data Processing Agreement, we are informing you of
an intended subprocessor {{change_type}}:

- **Subprocessor:** {{subprocessor_name}}, {{subprocessor_address}} (contact: {{subprocessor_contact}})
- **Service / processing:** {{service_description}}
- **Personal data:** {{data_categories}} relating to {{data_subjects}}
- **Processing location:** {{processing_location}} — transfer mechanism: {{transfer_mechanism}}
- **Security guarantees:** {{security_guarantees}}
- **Effective date:** {{effective_date}}

**You may object until {{objection_deadline}}** by {{objection_method}}. If you object,
we will seek a workaround; if none is feasible, you may terminate the affected services
as provided in the DPA. Absent an objection by the deadline, the change takes effect as
stated above.

Our current subprocessor list: {{subprocessor_list_url}}

Kind regards,
{{processor_name}} — Privacy Team ({{dpo_contact}})

---

## 4. Objection-response copy (sample)

Use within the acknowledgement time your DPA states (or 5 business days if unstated):

> Dear {{controller_name}},
>
> Thank you for your objection of {{objection_received_date}} to our notice
> {{notice_reference}} regarding {{subprocessor_name}}. We confirm that your data will
> **not** be processed by {{subprocessor_name}} while we assess your objection.
>
> We will revert by {{response_due_date}} with either (a) a workaround under which your
> data is not routed to {{subprocessor_name}}, or (b) confirmation that no workaround is
> feasible, in which case you may terminate the affected services without penalty as
> provided in the DPA, with the agreed wind-down period.
>
> Your objection and its resolution will be recorded in our processing audit trail.

---

## 5. Approval workflow

Run all four gates, in order, before sending:

1. **Legal review** — confirm the DPA-defined notice window, objection method, and
   objection consequence for every affected customer segment. If windows differ,
   apply the longest or segment the notices. Confirm the Article 28(4) flow-down
   contract with the subprocessor is signed (or will be before the effective date).
2. **DPO sign-off** — verify due diligence on the subprocessor, the transfer analysis
   (`{{transfer_mechanism}}` valid for `{{processing_location}}`), and that all fields
   in section 2 are complete. Reject name-only drafts.
3. **Publish** — update the public subprocessor register (`{{subprocessor_list_url}}`)
   before or simultaneously with sending, so the list and the notice are consistent.
4. **Notify & log** — send by push (email/alert) to every controller whose data the
   subprocessor will touch; record recipients, timestamp, and content; start the
   objection clock; diarise `{{objection_deadline}}` and hold the go-live until it passes.

---

## 6. Filled example

> **SUBPROCESSOR CHANGE NOTICE — SUBPROC-2026-014**
>
> **From:** Aventra Software GmbH
> **To:** All subscribed customers (controllers)
> **Date:** 2026-07-03
> **Legal basis:** Article 28(2) GDPR — notice of intended change under general written authorisation, per the Data Processing Agreement between the parties.
>
> **1. Intended change**
> Aventra Software GmbH intends to engage the following subprocessor (addition):
>
> | Field | Details |
> |---|---|
> | Subprocessor | Northmail ApS |
> | Registered address | Njalsgade 21, 2300 Copenhagen, Denmark |
> | Contact person | Mette Sørensen, Data Protection Lead, privacy@northmail.example |
> | Service / processing | Transactional email delivery for in-app notifications; Northmail processes recipient addresses and message metadata only — content templates remain with Aventra |
> | Categories of personal data | Contact data (name, email address); message metadata. No special categories |
> | Categories of data subjects | Customer staff and end users receiving notifications |
> | Processing location | Denmark (EEA) |
> | Transfer mechanism | n/a — processing remains within the EEA |
> | Security guarantees | ISO 27001:2022 certified; TLS in transit, AES-256 at rest; annual third-party penetration test |
> | Effective date | 2026-08-03 |
>
> **2. Your right to object**
> You may object to this change until **2026-07-24** (21 days from the date of this
> notice, per clause 6.3 of our DPA), by email to privacy@aventra.example quoting
> reference SUBPROC-2026-014. If you object, we will make reasonable efforts to
> accommodate the objection — for example by not routing your data to Northmail ApS —
> and if no workaround is feasible, you may terminate the affected services as provided
> in the DPA. If we receive no objection by the deadline, the change will take effect
> on 2026-08-03 in accordance with the DPA.
>
> **3. Further information**
> Our complete, current subprocessor list is available at
> https://trust.aventra.example/subprocessors. The same data-protection obligations as
> in our DPA with you will be imposed on Northmail ApS by written contract
> (Article 28(4) GDPR), and Aventra Software GmbH remains fully liable to you for its
> performance. Questions: dpo@aventra.example.

---

*Template v1.0 — 2026-07-03 — Orbiq (https://www.orbiqhq.com/templates/gdpr-subprocessor-change-notice). This template is provided for information purposes and is not legal advice; have your DPA and notices reviewed by qualified counsel.*
