Knogin
[Developers]

GDPR Subprocessor Register (Article 28/30)

The Subprocessor Register gives data protection officers a living, tenant-scoped inventory of every third-party processor that touches personal data, built to satisfy GDPR Articles 28 and 30 inside the same platform used

Back to All Modules
Category: ManagementLast Updated: May 26, 2026
managementcompliancegeospatial

Overview#

The Subprocessor Register gives data protection officers a living, tenant-scoped inventory of every third-party processor that touches personal data, built to satisfy GDPR Articles 28 and 30 inside the same platform used for investigations and case management. Each entry captures the processor, the personal data categories it handles, where that processing happens, the lawful transfer mechanism, the underlying contract, and a recurring review schedule with named reviewer accountability.

Privacy and compliance teams have long maintained this inventory in a standalone spreadsheet or a single-purpose tool that drifts out of date the moment a contract is signed or a vendor moves a workload to a new region. By keeping the register alongside the records that actually describe your processing, the inventory stays current, the review scheduler stops lapsed contracts going unnoticed, and an overdue-review filter surfaces exactly which relationships need attention before an auditor asks.

A built-in public disclosure endpoint lets product teams publish a subprocessor list to their own end-users in a single call, meeting voluntary or mandated transparency expectations without building bespoke web pages.

Key Features#

  • Article 28 Processor Records: Every entry documents the processor name, a plain-language service description, and the personal data categories it handles, capturing the contractual detail Article 28 requires of controller-to-processor relationships.

  • Lawful Transfer Mechanisms: Each processor is tagged with the legal basis for any international transfer: an EU adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or an exceptional Article 49 derogation, so the basis for every cross-border flow is explicit and auditable.

  • Contract Lifecycle Tracking: Record the contract type (Data Processing Agreement, model clauses, or Binding Corporate Rules) alongside signing and expiry dates, giving teams a clear view of which agreements are in force and which are approaching renewal.

  • Annual Review Scheduler: A review-due date and last-reviewed timestamp accompany each entry, with named reviewer attribution so accountability for every assessment is recorded rather than assumed.

  • Overdue-Review Filter: A single filter returns only the processors whose review is past due, turning the register into an active worklist instead of a static document and preventing lapsed contracts from slipping through.

  • One-Click Review Recording: Recording an annual review automatically advances the next review-due date by one year, removing manual date arithmetic and keeping the schedule rolling forward without gaps.

  • RoPA Linkage: Entries can be linked to specific Record of Processing Activities, so each processor connects directly to the Article 30 activities that rely on it and gap analysis becomes traceable in both directions.

  • Public Disclosure Endpoint: Flag any processor as public and expose a curated, unauthenticated list through a single endpoint, satisfying transparency disclosure obligations and end-user expectations without standing up a separate website.

Use Cases#

Data Protection Officers and Privacy Teams#

DPOs maintain a defensible Article 30 processor inventory that reflects the organisation as it is today. When a regulator or auditor requests the processor list, the transfer mechanisms, contract types, and review history are already documented and current, removing the scramble to reconstruct evidence from email threads and spreadsheets.

Compliance and Vendor Management#

Compliance teams track contract expiry and annual review cadence across the entire processor estate from one place. The overdue-review filter becomes a standing agenda item, ensuring no relationship goes more than a year without reassessment and that renewals are actioned before agreements lapse.

Product and Engineering Teams#

Product teams publish a transparency list of subprocessors to their own customers using the public disclosure endpoint, satisfying both regulatory and customer-trust expectations in a single integration rather than maintaining a hand-edited web page that drifts from reality.

Multi-Entity and Cross-Border Organisations#

Organisations operating across the EU, UK, US, and beyond record the correct transfer basis for each jurisdiction, evidencing adequacy reliance, Standard Contractual Clauses, or Binding Corporate Rules per processor and demonstrating Chapter V compliance for international data flows.

Integration#

The register is exposed through the same authenticated GraphQL surface as the rest of the platform, secured with OAuth2 and signed access tokens, so existing privacy and compliance tooling can read and maintain entries programmatically.

  • Authenticated Read and Write: List the full register, retrieve a single processor, add new entries, update existing ones, and record a completed review, all behind the platform authentication layer and isolated to your tenant.
  • Filtered Listing: Request only active processors, or only those with an overdue review, so downstream dashboards and reminders consume exactly the slice they need.
  • RoPA Cross-Linking: Associate each processor with the Record of Processing Activities entries that depend on it, keeping the Article 28 register and the Article 30 records in step.
  • Public Disclosure: The public list is served without authentication, returning only the fields appropriate for external disclosure (processor, service, data categories, location, transfer mechanism, contract type, and review status), so a customer-facing transparency page is a single call away.
  • Normalised Data Model: Transfer mechanisms and contract types use a consistent, controlled vocabulary, so connected systems interpret every entry the same way without bespoke mapping.

What a customer plugs in is their existing privacy stack or product front end; the benefit is one authoritative processor inventory that doubles as both an internal compliance record and an external transparency feed.

Open Standards#

  • GDPR Article 28: Implements the controller-to-processor contractual requirements, recording the processing detail and contract type that Article 28 mandates for every subprocessor relationship.
  • GDPR Article 30: Supports Records of Processing Activities (RoPA) by linking each processor to the specific activities that rely on it, keeping the processor inventory and the activity record connected.
  • GDPR Article 46 Standard Contractual Clauses (SCCs): Recognised as a transfer mechanism, letting organisations evidence SCC-based safeguards for international transfers per processor.
  • GDPR Article 47 Binding Corporate Rules (BCRs): Supported as both a transfer mechanism and a contract type for intra-group transfers governed by approved Binding Corporate Rules.
  • GDPR Article 49 Derogations: Captured as an explicit, exceptional transfer basis so reliance on a derogation for international transfers is recorded transparently rather than left implicit.
  • EU Adequacy Decisions (Chapter V GDPR): Available as a transfer mechanism, allowing processors in adequate jurisdictions to be evidenced against the relevant adequacy decision.

Security & Compliance#

All register data is strictly tenant-isolated. Every authenticated query and mutation is scoped to the calling organisation, so one tenant can never see or alter another tenant's processor inventory. The sole exception is the public disclosure endpoint, which is intentionally unauthenticated and returns only the limited, disclosure-appropriate fields for processors that have been explicitly flagged as public; internal-only entries never appear there.

Review actions are attributed to the user who performed them and timestamped, giving compliance teams a defensible record of who assessed each processor and when. Because the register lives inside the broader compliance platform, it inherits the same access controls and audit posture as the investigation and case-management capabilities alongside it.

Last Reviewed: 2026-05-26 Last Updated: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.