I don't think it will invalidate the contract because it would have been agreement between yourself and the processor. You are correct to pick up on it but always remember you are responsible for ensuring that processors comply with their obligations under the GDPR.

in this day and age, it is normal for processors to engage with third parties in order to ensure the functioning of the services provided e.g. telecoms provider, cloud services etc.

Whilst Art. 28 says that this shouldn't happen without consent, you can of course give make an exception and give consent under the contract to allow the processor to use those third parties that are critical to providing the service, otherwise it might be impossible to perform.

There's a number of ways to go about this:

1. If the processor only uses one or two third parties you could explicitly say something in the contract along the lines of "except for (company name) (company no. if applicable) (insert registered or principal address), the data processor shall not use any sub-processor without prior written consent t of the data controller."

2. If there are multiple processors used, you could refer to a sub-processor list as a schedule to the end of the agreement. Wording such as "the data processor shall not use any sub-processor without the data controller's prior written consent unless that sub-processor exists on the list of processors set out in Schedule X (as updated from time to time)"

3. A compromise situation might be to allow the data processor to use a sub-process provided that you are promptly notified in writing and unless you object within X days of being notified, then you are deemed to have given consent.

You will also need to consider Art.28(3) which says that sub-processing contract will contain certain provisions set out in (a) to (h) but some of those sub-sections can be placed elsewhere in the contract such as the option to return or delete the data. Usually you might expect to see some wording like "The data processor's right to use a sub-processor shall be contingent on:
(a) entering into a written contract on terms no less onerous than the contract the processor is agreeing to;
(b) provide sufficient written guarantees that it has in place appropriate technical measures so that the processing of the data will meet the applicable data protection laws;
(c) ensure that the sub-processor and its employees or any third parties acting on its behalf are made aware of the confidential nature of the data being processed; and
(d) contains an express right for the data controller to enforce the agreement directly against the sub-processor.

Whilst looking at this provision you might also want to double check that the right to transfer to a third party country under Art. 44 and make sure they comply.

Although I've given some examples above, you will need to decide how and what to agree as you are in the best position to know that taking into account the nature of the relationship.

So as the contract can't be voided and therefore re-negotiated it's down whether they are willing to revisit the agreement?

What exactly is the processor asking you to do? Are they asking you to sign a fresh agreement, a variation to reflect the GDPR or something else?

Thanks for helping here Rob, It was signed last year by the previous business owner, so rather than the dog wagging the tail and taking ownership of the data, the tail is wagging the dog with this agreement - what i mean by this is that had the controller (him) done this properly he wouldn't have signed on the processors terms without picking up on this.

I've been going through all contracts and as i don't want to be legally exposed so I wanted to revisit the agreement. God forbid there's a breech and on reporting to the ICO it turns out i can't evidence the data trail becuase of the processor sub-processing out either inside or outside the EEA.

Well, I guess it puts you in a bit of a difficult spot but all you can try to do is mitigate the risk, but you should take into account Article 82(2) and (3) which says:

Although not guaranteed, you could try to mitigate your risk to shift the liability or proportion of it in accordance with 82(3)

1. If you want to revisit the agreement you can approach the processor frame it in such a way to say that the current arrangement does not comply with the GDPR and requires certain changes to be made and you would like to arrange a meeting to discuss those changes. Of course if the processor isn't willing to play ball, then you may want to consider whether they are worth contracting with and the threat of looking for an alternative provider might give cause for them to agree to a meeting.

2. Assuming there is provision in the agreement, you can carry out an audit of the processor in accordance with Article 28 and confirm whether the processor is complying with their obligations under the GDPR. If it turns out they are failing to comply, you could use this as leverage to renegotiate the terms of the agreement.

If the ICO decided to come after you, then you could say to it that actually, you made attempts to renegotiate and they were refusing to comply, in which case the ICO might say well you could have terminated the arrangement (although you could argue otherwise if the business was tied in for a period of time).

Could be a number of scenarios but if you want specific details your current situation, I would suggest you seek some independent legal advice so that the solicitor can fully understand the position you are in and the best approach.

Fantastic advice and guidance Rob thanks so much.