topic Re: GDPR Compliance of 3rd parties ... a What-If scenario in Privacy

GDPR Compliance of 3rd parties ... a What-If scenario

Del — Thu, 01 Feb 2018 11:47:12 GMT

As part of my GDPR work, I'm looking at vendors & suppliers and the data that they have access to

With respect to Article 28 - (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN), I understand the following:

"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,”

I also understand that “Controllers” must detail in written contracts how their “processors” are going to handle this customer data"

My question is ... imagine a third party supplier / vendor states they are NOT GDPR compliant and have NO plans to comply, and existing contracts were drawn up before GPDR came into force.

If I'm reading this correctly, my company is then liable, or at least jointly liable in the event of a GDPR breach involving the third party.

Re: GDPR Compliance of 3rd parties ... a What-If scenario

John — Thu, 01 Feb 2018 14:59:36 GMT

Yep. Most contracts have an exit clause in case the third-party cannot meet the technical and/or regulatory requirements of the customer. Even if you don't, you can break the contract and I don't know if there's a moderator out there who wouldn't side with you.

Re: GDPR Compliance of 3rd parties ... a What-If scenario

leroux — Sat, 03 Feb 2018 12:56:05 GMT

I fully agree with John and you will have to renegociate your contract according to EU contractual clause for processors ....

Re: GDPR Compliance of 3rd parties ... a What-If scenario

flyingboy — Tue, 06 Feb 2018 08:34:09 GMT

In short, do not use them if your company plans to stay in compliant. Seek others who are more willing to work with you reducing regulatory risks.