Processors and joint controllers
Do you sometimes call on third parties to process personal data?
What you need to know.
Suppliers may use personal data of your customers, employees, etc. to provide services to your company. You might, for instance, appoint a social secretariat for personnel administration or a marketing agency to develop and send electronic newsletters. When these suppliers process the personal data solely for the benefit of your company, they are regarded as "processors" under the GDPR. Perhaps your company acts as a processor for other companies?
Companies can also process personal data together for specific purposes. For example, a group of companies may use the same database containing data of all employees of the different companies of the group. If the different companies within the group decide jointly on how the database should be used (e.g. which personal data needs to be uploaded, how long the data needs to be retained and who can consult it), they should be regarded as "joint controllers".
What you need to do by 25 May 2018.
It is important to identify the companies that use personal data of your customers, employees, etc. and treat such companies as processors or joint controllers. If these companies use the personal data for their own purposes, they are, just like your company, a (separate) "controller" for such processing. You should also verify in which cases your company might act as a processor, since different obligations apply to processors and controllers.
Then you must conclude an agreement with the processors that you have so identified, and this agreement must include at least the provisions stipulated by the GDPR.
Joint controllers must also make mutual arrangements which should define their respective responsibilities for compliance with the obligations under the GDPR (for example, the way in which persons whose data are processed will be informed thereof).
Please consult our website or contact one of our team members if you have questions or require more information: