What are our data security and privacy responsibilities when we use multiple providers to connect for user WEB experience? Data collected from those partners will be owned by those partners but we store to share it with other partners based on that experience? Are we a controller, processor, or joint controller? Maybe can provide any links which would help us to understand more
Assign topic to the user
According to Article 4 GDPR – Definitions, a Data Controller means “the […] legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data” while the Data Processor means “a […] legal person […] which processes personal data on behalf of the controller”. The basic difference between the controller and the processor is that the controller has a large degree of autonomy in how it determines the processing operations and purposes for processing, while the processor has almost no autonomy – it processes the personal data according to the controller’s requests.
If you want to be a Data Processor, you should ensure logical separation of customers’ environments, full customer control on their tenants, ability to download/ delete their data, etc. You could allow your customers to connect to other providers via your ecosystem, whether your providers are controllers or processors (for your customers) or subprocessors (for your customers, but subcontracted by you).
If you want to perform telematics on customer data (such as recording performance data in order to improve your ecosystem), you might become a joint controller in the relationship with your customers.
At Advisera we have an EU GDPR Documentation Toolkit that can help you on your journey to becoming GDPR-Compliant using a step-by-step approach. It contains 39 document templates – unlimited access to all documents required by GDPR, access to video tutorials, email support, expert review of a document, and one hour of live one-on-one online consultations with a GDPR expert. It contains templates for Supplier Data Processing Agreements that you can use with your suppliers or with your customers, an International Personal Data Transfer Procedure as well as guidelines on how to fill the Standard Contractual Clauses needed for personal data exports outside of the European Union.
Please also consult these links:
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
- Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
- EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
- European Data Protection Board Guidelines 07/2020 on the concepts of controller and processor in the GDPR: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf
Comment as guest or Sign in
Oct 09, 2022