March 20, 2023
When you use advertising tools such as a facebook pixel or when you rely on third-party payroll software, you inevitably allow these service providers to collect and process personal data for your business operations. Under the GDPR, a service provider like this is called a “third-party processor”.
When you use these third-party processors, you need to comply with the specific obligations set by the UK GDPR such as signing a data processing agreement with them. If you fail to comply with the GDPR, you may get slapped with penalties and regulatory action.
For instance, the French Data Protection Authority imposed a €1.5m fine on a software publisher “Dedalus”. One of the violations found was the non-compliant data processing agreement because this agreement did not contain the necessary elements.
In this article, we will walk you through who third-party processors are, GDPR obligations to lawfully use these processors, and how you can comply.
To eliminate GDPR risks related to third-party processors, keep reading!
Think about when Amazon sells goods though their website. When customers place an order, Amazon will collect their personal data such as their names, email addresses, credit card information, and physical delivery addresses.
Therefore, Amazon business will be deciding what information to collect, how to collect it, and where to store the data and for how long. Under the UK GDPR, this Amazon is a “data controller”.
However, this business will likely rely on third party tools when selling goods online.. For example, it may use a third-party cookie on its website to store products placed in shopping baskets by customers. Furthermore, it can also use third-party processor like Stripe to p to process payments made.
In these instances, these third parties don’t make any decisions how personal data will be used, they just process this personal data under the instructions of the data controller.
These third-party service providers are called third-party processors under the UK GDPR.
Under the UK GDPR, a third-party processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This processor signs a data processing agreement with the controller and this agreement includes rules about how data will be collected and used.
Put simply, Amazon, the online business that sells goods online (the data controller) decides on what data to collect and how to use, process and retain such data. A third-party processor such as payment processor (like Stripe) or cookie provider carries out processing activities on this data under the instructions of this data controller.
In the section above, we explained the difference between the data controller (Amazon) and the third-party data processor (Stripe).
Alongside third-party processor, there may be other parties that may collect and process personal data.
Let’s now examine these other parties to understand the difference between third-party processor and other parties.
Under the UK GDPR, the data controller bears ultimate responsibility and this covers third-party processors it uses as well. Therefore, the data controller should engage third-party processor in compliance with the GDPR requirements.
Full compliance can only be achieved by having a complete, accurate and up-to-date picture of all third-party processors, how they operate, what data they processes and where and how they store data.
Therefore, you need to do the following to identify third party processors and implement appropriate measures.
Sign Data Processing Agreements Under the UK GDPR, your data processing agreement with your third-party processors must contain specific clauses. Furthermore, your processors must enter into data sub-processing agreement with their subprocessors. Furthermore, these sub-processing agreements must include the same obligations in your data processing agreement.
Under the UK GDPR, data controller bears full responsibility for its processors’ compliance with the GDPR. Therefore, you need to implement appropriate measures to ensure that your processors processes personal data in compliance with the GDPR.
The key to ensuring your processors are compliant with GDPR is by signing a Data Processing Agreement (DPA) with your processors.. As data controller, this is a legal requirement as per Article 28 of the GDPR. This Data Processing Agreement must include specific terms.
This agreement must at least address the following issues:
In addition to having a DPA, you should also find out about the following to identify and minimise risks:
If you act mainly as a data processor, you will need a standard data processing agreement that you sign with each of your clients. For instance, Hubspot mainly provides services as a data processor and it has a standard data processing agreement you can find here
If you fail to map all your data flows and identify your third-party processors, you will not be able to enter into data processing agreements with them. What is more, you will not be able to assess and minimise risks related to your third-party processors.
When you fail to comply with these obligations under the UK GDPR, you may face the following fines:
To avoid these GDPR fines and to benefit from the services of third-party processors, you need a practical tool that can map your data, identify your processors and create appropriate agreements.
This is why you should give Privasee a chance to help you satisfy these GDPR compliance requirements:
With Privasee, you can:
-Mapping your active cookies: The Privasee portal takes your personal data map and creates policies/cookie banners from this information.
-Create your data processing agreement: Privasee enables you to create your custom data processing agreement that you can use with all your customers thanks to its Dta processing Agreement generator.
To comply with the GDPR requirements without expending excess resources, try Privasee Platform here.
In this article, we have helped you understand the following:
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.