cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer III

GDPR Compliance of 3rd parties ... a What-If scenario

As part of my GDPR work, I'm looking at vendors & suppliers and the data that they have access to

 

With respect to Article 28 - (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN), I understand the following:

 

"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,”

 

I also understand that “Controllers” must detail in written contracts how their “processors” are going to handle this customer data"

 

My question is ... imagine a third party supplier / vendor states they are NOT GDPR compliant and have NO plans to comply, and existing contracts were drawn up before GPDR came into force.

 

If I'm reading this correctly, my company is then liable, or at least jointly liable in the event of a GDPR breach involving the third party.

3 Replies
Highlighted
Newcomer III

Re: GDPR Compliance of 3rd parties ... a What-If scenario

Yep.  Most contracts have an exit clause in case the third-party cannot meet the technical and/or regulatory requirements of the customer.  Even if you don't, you can break the contract and I don't know if there's a moderator out there who wouldn't side with you.

---
You only say it's impossible because nobody's done it and lived.
Highlighted
Community Champion

Re: GDPR Compliance of 3rd parties ... a What-If scenario

I fully agree with John and you will have to renegociate your contract according to EU contractual clause for processors ....
Highlighted
Newcomer III

Re: GDPR Compliance of 3rd parties ... a What-If scenario

In short, do not use them if your company plans to stay in compliant. Seek others who are more willing to work with you reducing regulatory risks.