Consider the scenario:
1) the company sells standard suit and custom tailored suit as well;
2) for the custom tailored suit, the company needs the measures of the final customer (body measure); because, potentially, these measures contain sensitive data about health status, the companuy ask for the explicit consensus before manufacturing;
3) after final customer’s consensus, the suit has to be produced; the suit go through a lot of workcenters where we have only a personal data of the customer, first name and family name, written on a specific label; this label is visible for the manufacturing people involved in the production steps;
4) also, the final check of the suit involves an external step, where an external supplier verifies the suit before the delivery to the customer; the delivery is performed by the company whem the suit gets back after the check.
I would like to know if the company has to inform (notice) the final customer about the manufacturing process in terms o f its personal data visibility and, most important, if the company has to explicitly declare the name of the external supplier that check the suit before the delivery. For the company, in fact, could be difficult because this kind of supplier may change year after year.
You should include the information about personal data being shared to third parties in your customer Privacy Notice you don’t need to name which are those third parties but only make a reference about the activities that the third parties do.
Hello Andrei and thank you for this response; I have a little important clarification about this scenario. I summarise the situation: the "direct" and independent customers of the company A (we call "B" these customers) collect the body measures for their final customers (called "C") that aren't direct customers of the company A. So "A" has a lot of customers "B" and "B" have lot of customers "C" that are NOT customers of "A"; but "A" collects "C" data through "B", that are biometric data (measures for tailored made suits), potentially sensitive data. Most important in my opinion, in this case "A" needs a formal letter from every "B" customers for operating as "processor" of "C" personal data: is it correct? What about "B" don't give to "A" this formal agreement?
Thank in advance for your response.
Whoever is the controller needs to have signed Data Processing Agreements with its processors, not a letter but a legally binding document. So, the trick in this case and in any cases for that matter is correctly identifying the parties (controller and processor).
Also, the controllers need to specify in their privacy notices if they will be using third parties to process data on their behalf.
Thank you Andrei; the last question about that is if we can use the same agreement "modified" for nominating the "internal" data processors or , in other words, the functional/executive manager that are employees of the company and would have to manage and guarantee in their area the GDPR procedure.
Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
"Data Protection Officer". Kind regards. Bruno