Alex Franch
When you use advertising tools such as a facebook pixel or when you rely on third-party payroll software, you inevitably allow these service providers to collect and process personal data for your business operations. Under the GDPR, a service provider like this is called a “third-party processor”.
When you use these third-party processors, you need to comply with the specific obligations set by the UK GDPR such as signing a data processing agreement with them. If you fail to comply with the GDPR, you may get slapped with penalties and regulatory action.
For instance, the French Data Protection Authority imposed a €1.5m fine on a software publisher “Dedalus”. One of the violations found was the non-compliant data processing agreement because this agreement did not contain the necessary elements.
In this article, we will walk you through who third-party processors are, GDPR obligations to lawfully use these processors, and how you can comply.
To eliminate GDPR risks related to third-party processors, keep reading!
What is a third-party data processor?
Think about when Amazon sells goods though their website. When customers place an order, Amazon will collect their personal data such as their names, email addresses, credit card information, and physical delivery addresses.
Therefore, Amazon business will be deciding what information to collect, how to collect it, and where to store the data and for how long. Under the UK GDPR, this Amazon is a “data controller”.
However, this business will likely rely on third party tools when selling goods online.. For example, it may use a third-party cookie on its website to store products placed in shopping baskets by customers. Furthermore, it can also use third-party processor like Stripe to p to process payments made.
In these instances, these third parties don’t make any decisions how personal data will be used, they just process this personal data under the instructions of the data controller.
These third-party service providers are called third-party processors under the UK GDPR.
Under the UK GDPR, a third-party processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This processor signs a data processing agreement with the controller and this agreement includes rules about how data will be collected and used.
Put simply, Amazon, the online business that sells goods online (the data controller) decides on what data to collect and how to use, process and retain such data. A third-party processor such as payment processor (like Stripe) or cookie provider carries out processing activities on this data under the instructions of this data controller.
Processors vs joint controllers vs sub-processors
In the section above, we explained the difference between the data controller (Amazon) and the third-party data processor (Stripe).
Alongside third-party processor, there may be other parties that may collect and process personal data.
Let’s now examine these other parties to understand the difference between third-party processor and other parties.
- Joint controller: Joint controller is a third party data controller that exercises joint control over the purposes and means of data processing activities. For example, when you operate a facebook page, your business and Facebook are “joint controllers”. In this case, Facebook and your business signs a “Joint Controllership Agreement”
- Sub-processor: When a third-party processor processes personal data on behalf of a data controller, it can use other third parties’ services and allow these third parties to access and process data controller’s personal data. Processors engaged by the third-party processor are called “sub-processor”. For example, when a website uses google analytics on its website, google becomes its third-party processor. Google may store data collected through google analytics on a cloud provided by another company. This cloud provider is a sub-processor. Third-party processor and sub-processor signs a data sub-processing agreement, which is separate from the data processing agreement entered into between the data controller and third-party processor.
What is required when a third-party company processes personal data?
Under the UK GDPR, the data controller bears ultimate responsibility and this covers third-party processors it uses as well. Therefore, the data controller should engage third-party processor in compliance with the GDPR requirements.
Full compliance can only be achieved by having a complete, accurate and up-to-date picture of all third-party processors, how they operate, what data they processes and where and how they store data.
Therefore, you need to do the following to identify third party processors and implement appropriate measures.
- Identify all the third-party processors you use: as a company you will use different processors, you have to ensure that they are GDPR as well, so keep a complete and up-to-date list of all the third-parties you engage with.
- Data mapping: You need to map how data flows across your organisation, from its collection to its deletion (including the data that goes to your third-party processors).
Sign Data Processing Agreements Under the UK GDPR, your data processing agreement with your third-party processors must contain specific clauses. Furthermore, your processors must enter into data sub-processing agreement with their subprocessors. Furthermore, these sub-processing agreements must include the same obligations in your data processing agreement.
How to ensure your third-party processors meet the requirements of the GDPR
Under the UK GDPR, data controller bears full responsibility for its processors’ compliance with the GDPR. Therefore, you need to implement appropriate measures to ensure that your processors processes personal data in compliance with the GDPR.
The key to ensuring your processors are compliant with GDPR is by signing a Data Processing Agreement (DPA) with your processors.. As data controller, this is a legal requirement as per Article 28 of the GDPR. This Data Processing Agreement must include specific terms.
This agreement must at least address the following issues:
- Instructions: Processor will process data only on documented instructions from the data controller
- Duty of confidentiality: Processor muse ensure that any third party that processes personal data will be subject to confidentiality obligation
- Security measures: Processor must implement all necessary security measures as required under article 32 of the GDPR.
- Sub-processors: The processor should not engage another processor (a sub-processor) without the controller’s prior specific or general written authorisation
- Data subject rights: Processor shall help controller effectively satisfy data subject requests such as access requests.
- Assistance to controller: Third-party processor shall provide assistance to controller to help with various GDPR compliance matters.
- End of the processing agreement: The agreement shall state that the third-party processor will delete data upon the end of the agreement.
In addition to having a DPA, you should also find out about the following to identify and minimise risks:
- Where and how does the third-party processor store personal data?
- Is there a notification procedure for overseas transfer of personal data ?
- Are there appropriate security controls in place to identify and minimise risks?
- Is there a breach response procedure in place?
- Is there an international data transfer? For example, if your processor is located in united states or if it uses sub-processors such as Amazon Cloud to store data, you need to comply with international data transfer requirements under the GDPR.
If you act mainly as a data processor, you will need a standard data processing agreement that you sign with each of your clients. For instance, Hubspot mainly provides services as a data processor and it has a standard data processing agreement you can find here
Consequences of non-compliance with the GDPR processing regulations
If you fail to map all your data flows and identify your third-party processors, you will not be able to enter into data processing agreements with them. What is more, you will not be able to assess and minimise risks related to your third-party processors.
When you fail to comply with these obligations under the UK GDPR, you may face the following fines:
- An individual may sue you, the data controller, at court for damages
- The UK Data Protection Authority (“ICO”) may impose a fine up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
To avoid these GDPR fines and to benefit from the services of third-party processors, you need a practical tool that can map your data, identify your processors and create appropriate agreements.
This is why you should give Privasee a chance to help you satisfy these GDPR compliance requirements:
With Privasee, you can:
-Mapping your active cookies: The Privasee portal takes your personal data map and creates policies/cookie banners from this information.
- Mulitiple Languages support: If your website is accessible to users in third countries that speak other language, you should have your cookie policy in those languages as well. Privasee’s policy helps you have it in multiple languages.
-Create your data processing agreement: Privasee enables you to create your custom data processing agreement that you can use with all your customers thanks to its Dta processing Agreement generator.
To comply with the GDPR requirements without expending excess resources, try Privasee Platform here.
Key Takeaways & Wrap Up
In this article, we have helped you understand the following:
- Third-party processor is an individual or a legal person that processes personal data under the instructions of a data controller. This processor is in a direct relationship with the controller and acts in this controller’s interest.
- Data controller and procesor must enter into a data processing agreement under article 28 GDPR and this agreement must include specific terms such as handling of data subject requests and appropriate security measures.
- To use third-party processors in compliance with the GDPR, you need to map all data flow and identify your third-party processors.
Learn more
Related posts
.png)
%20-%20what%20is%20it%2C%20explained..png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.