Re: GDPR Compliance of 3rd parties ... a What-If s...

Del · ‎02-01-2018

As part of my GDPR work, I'm looking at vendors & suppliers and the data that they have access to

With respect to Article 28 - (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN), I understand the following:

"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,”

I also understand that “Controllers” must detail in written contracts how their “processors” are going to handle this customer data"

My question is ... imagine a third party supplier / vendor states they are NOT GDPR compliant and have NO plans to comply, and existing contracts were drawn up before GPDR came into force.

If I'm reading this correctly, my company is then liable, or at least jointly liable in the event of a GDPR breach involving the third party.

John · ‎02-01-2018

Yep. Most contracts have an exit clause in case the third-party cannot meet the technical and/or regulatory requirements of the customer. Even if you don't, you can break the contract and I don't know if there's a moderator out there who wouldn't side with you.

---
You only say it's impossible because nobody's done it and lived.

leroux · ‎02-03-2018

I fully agree with John and you will have to renegociate your contract according to EU contractual clause for processors ....

flyingboy · ‎02-06-2018

In short, do not use them if your company plans to stay in compliant. Seek others who are more willing to work with you reducing regulatory risks.

GDPR Compliance of 3rd parties ... a What-If scenario