GDPR Subprocessor Change Notice Template (Free DOCX & PDF)
Published Jul 3, 2026
By Orbiq Team

GDPR Subprocessor Change Notice Template (Free DOCX & PDF)

Free GDPR subprocessor change notice template with every EDPB-expected field, plus the notice email variant, objection handling, and approval workflow.

GDPR
Subprocessors
Templates
Data Protection
DPA

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

GDPR Subprocessor Change Notice Template (Word, PDF & Markdown)

This free subprocessor change notice template gives you a ready-to-send GDPR Article 28(2) notification: every field EDPB Opinion 22/2024 expects — subprocessor identity, contact person, service and data categories, processing location, transfer mechanism, effective date, and objection deadline — plus the notice email variant, sample objection-response copy, and the internal approval workflow. Download it as Word (DOCX), PDF, or a machine-readable Markdown file your AI tooling can draft from.

Under general written authorisation, you must inform every affected controller of an intended subprocessor addition or replacement and give them a real opportunity to object before the change takes effect. Since EDPB Opinion 22/2024, a one-line "we added Vendor X" email no longer clears that bar. This template packages the notice most European DPOs now expect to receive. For the workflow behind it — notice windows, silence-as-consent limits, subscriber models — see the full guide: GDPR Subprocessor Change Notices: The Article 28 Notification Workflow.

Key takeaways

  1. The notice is a structured document, not a courtesy email. After EDPB Opinion 22/2024, it must carry enough detail for the controller to make an informed objection decision — the template's eight required fields map one-to-one to that expectation.
  2. The deadline is yours to state, because the GDPR doesn't. Article 28 sets no statutory notice period. The template forces you to state an explicit objection deadline and method, drawn from your DPA — typically ~15 days in European practice, 30–60 negotiated, 90 rare.
  3. Transfers are part of the notice. If the new subprocessor processes data outside the EEA, the notice must name the mechanism — Standard Contractual Clauses or an adequacy decision — so controllers can run their own transfer assessment.
  4. Approval comes before sending. The built-in workflow (legal → DPO → publish → notify) exists because a notice that ships before the subprocessor list is updated, or before the transfer analysis is done, creates the very audit gap it was meant to close.
  5. One template covers EU, EEA, and UK. UK GDPR and Norway's personopplysningsloven carry Article 28 in the same form, so a notice drafted to the strictest reading works across all three.

What's inside the template

The core artifact is the notice document itself — the GDPR subprocessor notification template proper — a fill-in form with the eight fields a controller (and their DPO) needs to evaluate the change:

FieldWhat you enterWhy it's required
Subprocessor name & addressLegal entity name and registered addressBasic identification — EDPB Opinion 22/2024 expects identity for every actor in the chain
Country / processing locationWhere the data is actually processedDetermines whether Chapter V transfer rules apply
Service / processing descriptionWhat the subprocessor does and which of your products it supportsControllers must know what processing is entrusted, not just to whom
Categories of personal dataE.g. contact data, usage data, support contentLets the controller judge risk and whether special categories are affected
Transfer mechanismSCCs (Decision 2021/914), adequacy decision, or n/a (EEA-only)Post-Schrems II, a notice without the transfer basis forces the controller to chase you
Security guaranteesCertifications (ISO 27001, SOC 2) or a summary of measuresSupports the controller's "sufficient guarantees" assessment under Article 28(1)
Effective dateThe date the subprocessor starts processingThe notice must precede this date by the full objection window
Objection deadline & methodExplicit date plus how to object (email address, portal)The opportunity to object must be real — a deadline nobody can find isn't one

Around the notice itself, the download includes:

  • The email variant — subject line and body copy for delivering the notice to subscribed controllers, written so the objection deadline is visible without opening an attachment.
  • Sample objection-response copy — the acknowledgement you send when a controller objects, committing to the reasonable-efforts / workaround / termination path.
  • The approval workflow — a four-step internal checklist (legal → DPO → publish → notify) with what each gate checks.
  • A filled example — a realistic completed notice, so legal and non-legal reviewers can see what "done" looks like.

The Markdown version carries the same content with machine-readable field definitions, so an AI agent or internal tooling can draft a compliant notice from the file alone.

How to use it: the approval workflow

A notice is only as good as the process that ships it. The template's workflow has four gates:

  1. Legal review. Confirm what your DPAs actually promise: the notice window, the objection method, and the consequence of an objection. If different customer segments negotiated different windows (enterprise customers often hold 30–60 days), the notice must respect the longest applicable one — or you send segmented notices.
  2. DPO sign-off. The DPO or privacy lead verifies the substance: due diligence on the new subprocessor, the transfer analysis (SCCs signed? adequacy applicable?), and that all eight fields are complete. This is where a name-only notice gets caught before it embarrasses you.
  3. Publish. Update the public subprocessor register before or simultaneously with the notice, so a controller who clicks through sees a list consistent with what they were told. EDPB Opinion 22/2024 expects that list to be current at all times.
  4. Notify. Send the notice — push, not pull — to every controller whose data the subprocessor will touch, start the objection clock, and log the send. The log is your evidence of who was informed, when, and with what content.

On the deadline: resist copying a number from someone else's DPA. European practice clusters around ~15 days as the typical window, 30–60 days as the usual negotiated range for enterprise and regulated controllers, and 90 days as increasingly rare. The EDPB's test is not the number but whether the window allows a meaningful, informed objection — a short window on a high-risk change is challengeable even if the contract permits it.

If a controller objects, the sample response copy follows the standard model: acknowledge within a stated time, attempt a workaround (such as not routing that controller's data to the new subprocessor), and if none is feasible, offer termination of the affected services without penalty. Document the objection and its resolution — it belongs in the same audit trail as the notice.

The legal basis behind each field

Every field in the template traces to a specific obligation — briefly, since the full guide covers each in depth:

  • GDPR Article 28(2) creates the notice duty itself: under general written authorisation, the processor "shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object." The effective date and objection deadline fields operationalise "intended" and "opportunity."
  • Article 28(3)(d) and 28(4) require the processor to respect the paragraph 2 conditions in the contract, flow the same data-protection obligations down to the subprocessor, and remain liable to the controller for the subprocessor's compliance — which is why the security-guarantees field is yours to substantiate, not the subprocessor's. Article 28(9) requires the arrangement to be in writing, including in electronic form, so an emailed notice is a valid instrument.
  • Chapter V (Articles 44–46) governs the transfer-mechanism field. Processing outside the EEA needs an adequacy decision (Article 45 — currently covering the UK, Switzerland, Japan, and US organisations certified under the EU–US Data Privacy Framework, among others) or appropriate safeguards under Article 46, most commonly the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914. Intra-EEA controller-processor terms have their own optional SCCs under Decision (EU) 2021/915.
  • EDPB Opinion 22/2024 (adopted 7 October 2024) sets the field list: identity, contact person, processing description, location, transfer safeguards, and security guarantees for every subprocessor in the chain, kept up to date at all times and provided proactively. It also confines deemed acceptance to general authorisation with genuine, timely notice — under specific authorisation, silence is never consent.

The depth is risk-based: for a low-risk tooling change, summary entries suffice; for a subprocessor touching sensitive data, controllers are entitled to expect more in each field. How this fits your broader register and due-diligence duties is covered in Subprocessor Management Under GDPR Article 28, and the surrounding processor obligations in GDPR Articles 28, 32, 33, and 34.

Using the template in the UK and Norway/EEA

No adaptation is needed for the UK or Norway. UK GDPR retains Article 28 in the same form, supervised by the ICO, whose contracts guidance tells processors to set out "the date by which the controller should raise any objections" — exactly the template's objection-deadline field. Norway applies the GDPR through the personopplysningsloven via the EEA Agreement, supervised by Datatilsynet, with no national rule that softens the change-notice duty. The only field that changes across jurisdictions is the transfer mechanism: a transfer to the UK from the EEA currently rides on the UK adequacy decision, while EEA-internal processing (including Norway) needs none.

Keep the notice workflow running automatically

A template solves the drafting problem; it does not send itself, enforce the objection window, or remember who was notified. That is a Trust Center job: a current subprocessor register, a subscriber base of controllers and DPOs, structured change notices, and an audit trail in one system. Orbiq's trust-update workflow issues subprocessor change notices to subscribed controllers, enforces the objection deadline, and keeps the evidence automatically — so the template you download here becomes a workflow instead of a recurring manual task.

Sources & References

  1. Regulation (EU) 2016/679 (GDPR) — Article 28 — subprocessor authorisation and notice duty (28(2)), contract conditions (28(3)(d)), flow-down and liability (28(4)), written form (28(9)).
  2. EDPB Opinion 22/2024 on certain obligations following from the reliance on processors and sub-processors — adopted 7 October 2024; required subprocessor information, proactive and current lists, limits of deemed acceptance.
  3. Commission Implementing Decision (EU) 2021/914 — Standard Contractual Clauses for transfers to third countries — Article 46(2)(c) transfer mechanism referenced in the template's transfer field.
  4. Commission Implementing Decision (EU) 2021/915 — Standard Contractual Clauses between controllers and processors — Article 28(7) SCCs, including subprocessor engagement terms.
  5. ICO — Contracts and liabilities between controllers and processors — UK GDPR position, including stating an objection deadline.
  6. Datatilsynet — Norwegian Data Protection Authority — supervision of the GDPR in Norway via the personopplysningsloven and the EEA Agreement.

Related Reading

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

Frequently Asked Questions

What should a GDPR subprocessor change notice template include?

Following EDPB Opinion 22/2024, a compliant template needs the subprocessor's name and registered address, a contact person, a description of the service and processing, the categories of personal data affected, the processing location, the transfer mechanism for any non-EEA processing (SCCs or an adequacy decision), the effective date, and a clearly stated objection deadline with the method for objecting. This template includes all of these as fillable fields.

Is there a statutory notice period I should put in the template?

No. GDPR Article 28 sets no fixed notice period — the window is defined in your Data Processing Agreement. In European practice the typical window is around 15 days, with 30–60 days the usual range negotiated by enterprise and regulated customers, and 90 days increasingly rare. Whatever you choose, EDPB Opinion 22/2024 expects it to be long enough for a meaningful, informed objection.

Can I send the subprocessor notice as an email?

Yes — email is the standard delivery channel, and this template includes a ready-to-send subprocessor notice email variant. What matters legally is that notification is push, not pull: updating a web page alone does not discharge the Article 28(2) duty unless it is paired with an active alert that reaches the controllers in time to object.

Who should approve a subprocessor change notice before it goes out?

The template ships with a four-step approval workflow: legal review confirms the DPA terms and objection mechanics, the DPO (or privacy lead) verifies the transfer analysis and EDPB-expected fields, the subprocessor list is updated and published, and only then is the notice sent to all subscribed controllers with the objection clock started and logged.

Does the same template work for UK and Norwegian customers?

Yes. UK GDPR carries Article 28 in the same form, supervised by the ICO, which expects the contract to state an objection deadline. Norway applies the GDPR through the personopplysningsloven via the EEA Agreement, supervised by Datatilsynet, with no softer national rule. One notice drafted to the strictest reading covers EU, EEA, and UK controllers.

What do I do if a controller objects to the notice?

Follow the objection path defined in your DPA — the template includes sample response copy for it. The standard model is that the processor makes reasonable efforts to accommodate the objection, for example by not routing that controller's data to the new subprocessor, and if no workaround is feasible, the controller may terminate the affected services without penalty.

GDPR Subprocessor Change Notice Template (Free DOCX & PDF)