Guest user Created: Aug 12, 2021 Last commented: Aug 19, 2021

DPIA’s and Clients' data

I have a question around DPIA’s and our Clients data As a security Monitoring company providing SOC-as-a-service, we are a ‘processor’ to our clients, and we monitor their networks/systems under contractual obligation. Would we be required to carry out DPIA’s on our Client Data as a processor as well as our own data as a controller? From what I understand we would carry out a DPIA on their data if they request that we do so. Is this correct? If this is not clear or you need more information, feel free to let me know.

0 0

Assign topic to the user

Select user

Expert

Alessandra Nisticò Aug 19, 2021

Yes, you are right, DPIA is an obligation of the data controller, as a data processor you may suggest to your client to conduct a DPIA and help them in the process, but you don't need it if the controller does not require it. About data you process as a controller, you need to determine if the monitoring falls under the scope of Article 35 GDPR, if a DPIA is required, I would suggest you use the tool that the CNIL (the French Data Protection Authority implemented, it is in English and it guides controllers through the assessment process).

Here you can find more information about the DPIA process:

5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

If you need to understand how to implement the EU GDPR you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 12, 2021

Aug 19, 2021

Expert Advice Community