Handling data according to EU GDPR
If we are coordinating a European project, and the data we collect is basic personal data (name, phone, email) from different EU city employees who take part in that project, are we, as a coordinator, responsible for how other project partners handle this data? i.e. the project makes us ensure that many partners also view this data (it wouldn't serve a purpose if we anonymize it) and then how can we control what the partner organisations do with this data, whether they delete it on time, etc.? so far we had a project document called DP management, where we would write down procedures, including that the data needs to be deleted after the project ends and so on. Is this enough to show our accountability as coordinators?
Assign topic to the user
"If we are coordinating a European project, and the data we collect is basic personal data (name, phone, email) from different EU city employees who take part in that project, are we, as a coordinator, responsible for how other project partners handle this data? i.e. the project makes us ensure that many partners also view this data (it wouldn't serve a purpose if we anonymize it) and then how can we control what the partner organisations do with this data, whether they delete it on time, etc.? so far we had a project document called DP management, where we would write down procedures, including that the data needs to be deleted after the project ends and so on.
You need to evaluate if your project partners process data on your behalf, you can be considered as the leader of the project, and therefore they will be seen as a data processor. In this case, you need to appoint them and determine procedures, controls, and require compliance with your policies.
Your partners may be seen also as a joint controller, under article 26 GDPR, if they determine with you the mean and the purposes of data processing. In this case, you can make a data processing agreement and determine jointly policies to follow. Each will be accountable for the data processed by its company.
Is this enough to show our accountability as coordinators?
If your partner is a data processor, you need to appoint them as a data processor with a data processing agreement. Article 28 GDPR requires a written legal undertaking. Of course, you can demand to follow your policies and rules and also control if they comply with it.
Here you can find more information
- Article 26 GDPR: https://advisera.com/eugdpracademy/gdpr/joint-controllers/
- Article 28 GDPR: https://advisera.com/eugdpracademy/gdpr/processor/
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
- EU GDPR document template:Processor GDPR Compliance Questionnaire https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
- EU GDPR document template:Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/
If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Oct 19, 2020