Blog
GDPR compliance and best practices

Audit the GDPR compliance of your subcontractors: the guide to secure your liability

The compliance of a data controller depends directly on the rigor of its service providers. Under the GDPR, outsourcing does not exempt you from liability: you must ensure that your subcontractors offer sufficient guarantees in terms of security and confidentiality. This guide details vigilance obligations, contractual levers such as the Security Assurance Plan (PAS) and offers a checklist of 16 control points to industrialize your audits and prove your diligence (Accountability).

By
Anne-Angélique de Tourtier
1
Min
Share this article
Checklist of topics to be covered
Summary
Heading 2

In a digital ecosystem where outsourcing is the norm, the compliance of a data controller is intrinsically linked to that of its partners. The GDPR established a principle of co-responsibility: if your subcontractor suffers a data breach, it is your reputation, legal responsibility and diligence that will be examined by the supervisory authority.

Moving from administrative compliance to controlled governance requires ensuring that your service providers offer sufficient guarantees to ensure the confidentiality, availability and integrity of the data entrusted to you.

Understanding the duty of care and article 28 of the GDPR

Article 28 of the GDPR states that the data controller must only use subcontractors offering sufficient guarantees. In the event of a security breach or a CNIL control breach, you may be held liable on two fronts:

  • Culpa in eligendo (the fault in the choice): did you check the maturity of the service provider before entrusting him with data?
  • Lack of surveillance: have you maintained regular and documented monitoring of its commitments?

The legal challenge is clear: if the subcontractor is responsible for his own breaches, the data controller may be sanctioned for breaching his duty of care. The audit is your proof of diligence (Accountability).

{{newsletter}}

How to assess the security of your SaaS subcontractors?

The evaluation should not be seen as a constraint, but as a step towards mutual security.

The lever of the PAS (Security Insurance Plan)

To carry out your impact analyses (AIPD), you must collect the technical measures of your subcontractors. Requesting the PAS or a penetration test report (pentest) is a great way to assess the real soundness of SaaS software before starting contractual discussions.

Recontracting and documented instructions

Any data processing by a subcontractor must be governed by a contract or a legal act. Take advantage of renewals to incorporate clauses specifying that the subcontractor acts only on your documented instructions and that it has the obligation to alert you immediately if a data breach occurs.

GDPR checklist: 16 key points for auditing your subcontractors

Inspired by the Adequacy methodology and the CNIL standards, here are the 16 questions to ask yourself as part of an evaluation of a subcontractor:

  • RT instructions: do we provide specific instructions on how to handle data in writing?
  • Privacy by design: does the provider take data protection into account when designing its tools?
  • Subsequent subcontractors: does the contract clearly define how the service provider can recruit its own subcontractors (prior authorization or right of opposition)?
  • Right to information: does the provider help you inform the persons concerned according to your terms and conditions?
  • Register: does the service provider keep a record of the activities carried out on your behalf?
  • Security measures: what is the real evidence (encryption, secure access, backups) of data protection?
  • Confidentiality: are the service provider's employees subject to a documented obligation of secrecy?
  • Risk assessment: did the provider provide a security risk study for their service?
  • Cooperation: does the provider help you to carry out your impact analyses (AIPD)?
  • Data fate: can the service provider prove the destruction or return of the data at the end of the contract?
  • Internal audit: is your right to go and check on site or on documents guaranteed in the contract?
  • Transfers outside the EU: are data flows outside Europe secured by valid legal tools?
  • Delegate (DPO): has the subcontractor appointed an identified compliance contact point?
  • Data breach: is there a procedure for tracking and documenting each incident at the provider?
  • Notification: does the service provider undertake to notify you without undue delay in the event of a security breach?
  • Responsibility matrix: does an appendix clearly specify who does what between you and him?

Automating subcontractor compliance management with Adequacy

Manually tracking these points out of dozens or even hundreds of service providers via spreadsheets is a major source of legal risks. Adequacy turns this constraint into a reliable process:

  • Automated audit campaigns: send your security or compliance forms and collect evidence (PAS, certifications)
  • Centralization and traceability: all responses and contractual documents are stored in a sovereign space, constituting your evidence file in the event of an audit
  • Risk management: identify the weak links in your subcontracting chain and prioritize your compliance actions

FAQ: Assessment of subcontractors and RGPD

Is a simple questionnaire enough to prove my compliance?

The questionnaire is a first step. For high-risk treatments, the CNIL considers that the data controller must carry out more thorough checks. This may include on-site audits, analysis of third-party audit reports, or certifications such as ISO 27001.

Can the subcontractor notify me of a violation within 72 hours?

It is a legal risk for the data controller. Since you have 72 hours from the moment you become aware of the violation to notify the CNIL, the subcontractor must inform you without delay. This delay is often interpreted as immediate or within 24 to 48 hours maximum in order to give you time to analyze the incident.

Who is responsible in case of fault on the part of the subcontractor?

Responsibility is now shared with the GDPR. The subcontractor may be sanctioned for its own breaches under article 82. However, the data controller remains responsible for his choice and for the supervision of the service provider. Auditing is the only way you can mitigate your liability.

How do I automate the monitoring of my service providers?

The use of a dedicated SaaS platform makes it possible to centralize proofs of diligence and to program reminders for periodic audits. This ensures ongoing compliance rather than ad hoc.

Do you want to simplify the evaluation of your subcontractors? Discover Adequacy's subcontractor management module during a personalized demonstration.

{{newsletter}}

The latest news

GDPR compliance and best practices

IA et cybersécurité : comment anticiper la conformité à l'AI Act

L’entrée en application de l’AI Act définit le nouveau cadre de l’innovation européenne, conciliant technologie et protection des droits fondamentaux. Pour les DPO et RSSI, ce règlement impose une vigilance accrue sur les "lignes rouges" de l'Article 5, comme la manipulation cognitive ou le scoring social. La réussite de votre mise en conformité repose désormais sur une gouvernance intégrée, liant les exigences de l'AI Act à la rigueur du RGPD pour garantir une trajectoire de croissance souveraine et sécurisée.

Anne-Angélique de Tourtier
News

GDPR and IA Act compliance: summary of the major news of March 2026

The month of March 2026 marks a turning point in digital governance with the forced convergence between cybersecurity, data protection and the regulation of artificial intelligence. Between the historic condemnation of Meta, the adoption of the Resilience Law transposing NIS 2 and DORA, and the official designation of the CNIL as the supervisory authority for the IA Act, compliance officers must now unify their processes. This summary analyzes systemic threats and regulatory changes to transform your obligations into performance drivers.

Calixte Descamps
Interviews

AI and GDPR compliance in health: feedback from Artic with Adequacy

Compliance with the GDPR and the AI Act is a major challenge for health and clinical research actors. In this exchange, Eve Lepicard and Sophie Malabous from the Artic association explain how the use of Adequacy compliance software allows them to structure their processing register in an agile way. Thanks to an educational interface and the support of Calixte Descamps, they transform regulatory constraints into concrete operational deliverables.

Calixte Descamps

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Request a quote