cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Del
Newcomer III

GDPR Compliance of 3rd parties ... a What-If scenario

As part of my GDPR work, I'm looking at vendors & suppliers and the data that they have access to

 

With respect to Article 28 - (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN), I understand the following:

 

"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,”

 

I also understand that “Controllers” must detail in written contracts how their “processors” are going to handle this customer data"

 

My question is ... imagine a third party supplier / vendor states they are NOT GDPR compliant and have NO plans to comply, and existing contracts were drawn up before GPDR came into force.

 

If I'm reading this correctly, my company is then liable, or at least jointly liable in the event of a GDPR breach involving the third party.

3 Replies
John
Newcomer III

Yep.  Most contracts have an exit clause in case the third-party cannot meet the technical and/or regulatory requirements of the customer.  Even if you don't, you can break the contract and I don't know if there's a moderator out there who wouldn't side with you.

---
You only say it's impossible because nobody's done it and lived.
leroux
Community Champion

I fully agree with John and you will have to renegociate your contract according to EU contractual clause for processors ....
flyingboy
Newcomer III

In short, do not use them if your company plans to stay in compliant. Seek others who are more willing to work with you reducing regulatory risks.