Processor, Subprocessor and Third-Party Privacy Management Policy

The Processor, Subprocessor and Third-Party Privacy Management Policy defines how an organization governs external parties that process, access, receive, store, transmit, support or otherwise handle PII within the Privacy Information Management System scope. It applies when the organization acts as a PII controller using processors, as a joint controller requiring role classification, as a processor using subprocessors or subcontractors, and as a subprocessor receiving customer instructions. The policy also covers third-party relationships requiring privacy due diligence, contract controls, documented instructions, subprocessor approval, monitoring, assurance, incident interface, transfer linkage, return, deletion or exit evidence. A core feature of the policy is its reliance on REG08 — Processor, Subprocessor and Data Sharing Register — as the primary evidence object for processor, subprocessor and third-party privacy management. The policy requires the Privacy Lead / PIMS Manager to define minimum REG08 fields and classify third-party privacy relationships as controller, joint controller, processor, subprocessor or other third-party relationship before contract approval or before PII processing begins. It also requires the Vendor / Procurement Owner to block onboarding, renewal or expansion until REG08 is completed and linked to records such as REG02, REG04, REG09 or REG10 where those evidence objects are triggered. This creates a documented linkage between relationship governance, processing inventory, risk and DPIA records, international transfer evidence, incident records and corrective actions. The policy sets detailed requirements for due diligence, risk assessment and contractual control. Privacy due diligence must be completed before selecting, renewing or materially changing a processor, subprocessor or third-party relationship that processes or accesses PII. Security assurance evidence must be reviewed by the Information Security Lead before approval, and high-risk processor relationships or material third-party privacy changes trigger privacy risk and DPIA screening in REG04. Contract and documented instruction controls are separated for controller and processor contexts. When acting as controller, the organization must record a written processor contract or equivalent binding agreement before a processor handles PII. When acting as processor, customer agreements or documented customer instructions must define the authorized processing scope before customer PII is processed. The policy also requires contract coverage for assistance, security assurance, incident interface through PII15, return or deletion through PII10, transfer linkage through PII13, and audit or assurance cooperation. Subprocessor and subcontractor governance is addressed through specific approval, notice, flow-down and monitoring requirements. The Vendor / Procurement Owner must maintain a list of subprocessors and subcontractors in REG08, verify customer authorization before engagement, notify customers of intended new or replacement subprocessors according to the applicable agreement, and ensure flow-down privacy, security, assistance, return, deletion, incident interface and transfer-linkage obligations before any subprocessor processes PII. Controller-side subprocessor-change notices must also be tracked, with approval, objection or escalation decisions recorded in REG08 within the contractual objection period or within 10 business days after notice receipt, whichever is shorter. The policy completes the lifecycle with ongoing monitoring, assistance handling, disclosure recording, incident linkage, transfer linkage, exit evidence, exceptions, enforcement and review. High-risk processor and subprocessor relationships are monitored quarterly, while other active PII processor and subprocessor relationships are monitored annually. Assistance requests for PII principal rights, DPIAs, security evidence, audits or customer assurance must be coordinated through REG08 and linked to REG06, REG04 or REG12 where applicable. Supplier-related privacy incident notices route to REG10 under PII15 within one business day, and return, deletion, disposal or transition evidence must be obtained within 30 days after termination, expiry, customer instruction or approved exit event unless a shorter contractual period applies. Exceptions are time-limited, require privacy impact assessment, and may require Top Management approval where high-risk processing, missing contract evidence, transfer linkage gaps or certification scope are affected.