Data Protection and Third Parties
Organisations frequently need to transfer personal data to third parties. Examples of these types of relationships might be those which you have with your accountant, web host and marketing company.
Under the General Data Protection Regulation (‘GDPR’), the body who determines the purposes and means of processing is the ‘data controller’ and the body who process the data on behalf of the data controller is the ‘data processor’.
Obviously, these will often be one and the same, but where they are not, it is important to ensure that the terms and conditions which regulate these transfers of personal data comply with data protection law.
An example of this type of relationship in practice is where a company decided to outsource their payroll to their accountants to administer. The company therefore transfers its employee’s personal data to their accountants. The company clearly needs to pay its employees, but it is not necessary for them to outsource this task; the company is electing to do so.
In practice, the company would either need to obtain the voluntary consent of its employees in order for this to take place, or would need to show, and document, for example in a data protection policy, that this was a legitimate interest of the company to outsource this specific task. the company would also need to ensure that the terms and conditions regulating the business relationship between itself and the accountants regulated how the personal data was to be processed.
The Information Commissioner’s Office have provided guidelines regarding what should be included in these types of third party agreements (Click Here)
They highlight the fact that the following should always be included in these types of agreements:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subjects;
- The obligations and rights of the controller;
- The processor must only act on the written instructions of the controller;
- The processor must ensure that people processing the personal data are subject to a duty of confidence;
- The processor must take appropriate measures to ensure the security of the processing;
- The processor must only engage a sub-contractor with the prior consent of the data controller and a written contract;
- The processor mist assist the data controller in providing subject access and allowing data subjects to exercise their rights under GDPR;
- The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- The processor must delete or return all personal data to the controller as required at the end of the contract; and
- The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that both are meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or any other data protection law of the EU or of a Member State.
Clearly, there is a lot to think about when you are transferring personal data to third parties. You will probably need to ensure that your policies and procedures also explain that you are transferring personal data in this way. It may also be relevant to employment contracts