UnixTime

Research Note

GDPR Processors, Subprocessors, and International Transfers

A practical control model for Article 28 contracts, processor due diligence, subprocessor changes, transfer safeguards, and service exit.

On this page

Self-hosted does not mean processor-free

Self-hosting can reduce one vendor relationship, but hosting operators, SMTP relays, backup targets, monitoring systems, support tools, and administrators may still process personal data.

Processor control record

For every processor or subprocessor, document:

  • service, role, processing purpose, data, people, and locations;
  • controller instructions and prohibited uses;
  • Article 28 contract and security obligations;
  • confidentiality, access, incident, rights, audit, and assistance terms;
  • subprocessor authorization and change-notice mechanism;
  • deletion or return behavior, including backups;
  • business continuity and service-exit plan; and
  • transfer mechanism and supplementary assessment where required.

International-transfer sequence

  1. Identify whether personal data leaves the EEA or becomes remotely accessible from a third country.
  2. Check whether an Article 45 adequacy decision covers the destination and recipient.
  3. If not, identify an Article 46 safeguard such as applicable Standard Contractual Clauses or Binding Corporate Rules.
  4. Assess whether destination-country law or practice undermines the safeguard and whether supplementary measures are needed.
  5. Use Article 49 derogations narrowly; they are not a routine architecture pattern.
  6. Tell people about applicable transfers and how safeguards can be obtained.

Listmonk implications

A self-hosted Listmonk deployment should keep PostgreSQL private, restrict the admin surface, use double opt-in, record consent and notice versions, enforce unsubscribe and suppression, define retention, encrypt backups, test restore and deletion, govern SMTP delivery providers, and preserve migration reconciliation. Migrating email addresses without consent and suppression history destroys evidence and can reactivate people who unsubscribed.

Primary references

  • Gdpr
  • Processor
  • Subprocessor
  • International transfer
  • Article 28
  • Supplier risk

Note Metadata

Aliases: GDPR Article 28, GDPR International Transfers

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng