Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

IT organization

  Quote
Guest
Guest user Created:   Apr 08, 2018 Last commented:   Apr 08, 2018

IT organization

A small IT organization manages another companies IT infrastructure. Though they do not actually "view or access" the records of the controllers data, they do move files and perform everyday automated functions (backups for example) and also perform manual restores or changes to file permissions for example. They are therefore a Processor, but should each activity be logged / recorded ?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Apr 08, 2018

Answer:

The small IT organization definitely acts as a processor as you mentioned. As such they need to act only on the instructions of the data controllers an they need to be able to prove that any processing pf personal data was done as instructed by the data controller or based on the contractual obligations set up in the contract between the controller and processor. Logs are definitely a way of keeping a tab on the activities done based on the instructions of the data controller and they would also be useful as proof that the activities are actually happening.

Regarding the level of details this is something that you need to establish by yourself and is strictly related to the services that are provided.

To find out more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 08, 2018

Apr 08, 2018

Suggested Topics