Data controller or data processor
Our company has signed an agreement with IT company for IT support services - to upgrade configuration of our internal ingformation management system and to provide IT support in the case of trouble. It is necessary for The IT company to get remote access to the system, including access to the personal data of employees. The IT company doesn't make any copies or any other actions with personal data. Is the IT company a data processor and do we have to sign an agreement between data controller and data processor according to the GDPR 28 article? Or, maybe it could be another kind of relationships concerning data protection between our company and IT company?
Assign topic to the user
According to article 4 GDPR, a data processor processes personal data on behalf of the data controller. With reference to the IT maintenance system, there has been an interpretation of the German Data Protection Authority (DPA) which considers “ data processing” also the occasional access to client’s data from the IT maintenance company. You should verify if your national DPA gave some definition of data processing. If not, it would be safer to adhere to the strict German interpretation in order to assure compliance and consider the IT company as a data processor.
This is the official statement of German DPA (in German): https://datenschutz-hamburg.de/assets/pdf/DSK_Kurzpapier_Nr_13_Auftragsverarbeitung.pdf
Here you can find some useful information:
You can also consider enrolling in our free EU GDPR Foundation course:
Comment as guest or Sign in
Apr 23, 2020