I want your help if you can help I will be a pleasure
This is a detailed question and it is not possible for me to find the answer by browsing the websites on the internet or I am not sure for to aplly them.
I'm doing an internship right now.
My question is:
There are two companies A Company and B company
A company uses B company's product/ service.
B company has two websites: X website is a normal website - ever people can reach out it and a different interface is Y that is only for its users who log in with this page to use the service.
For to log in and use the service , the two companies have to make a contract.
The functions of the visitor visiting a web page and the user are different.
GDPR says inform everyone and get their consent, while it is possible to do this for visitors, what will be the method for users?
Company A determines the people who will use the service of company B and it gives authorization. In this case, is company B obliged to separately inform the users authorized by company A?
I'm asking this because my manager is asking that there should be a notification on the page where user use their service log in?
The source of this problem is:
Even though companies have privacy policies on their websites, there is still a note on the collection and storage of information in the demo request form section. So, an information note is being considered again, is it necessary to apply this logic for the user as well?
Sorry for taking so long to explain the question.
I would be glad if you help.
From the details you provided, most likely company A is a Data Controller and company B is a Data Processor for company A. However company B, for its own public website, is a Data Controller so that’s why they have a Privacy Notice. The Data Controller needs to take all technical and organizational measures to demonstrate compliance with GDPR, per Art 25 - Data protection by design and by default. That is why, according to Article 5.1.a – the principle of lawfulness, fairness and transparency – and to Article 13 – Information to be provided where personal data are collected from the data subject – company A is accountable for how it informs its own data subjects about the processing operations carried out by company B on its behalf. So company A should take, with the help of company B, all steps to make sure that the data subjects using the company B services purchased by company A, are informed. Also, according to Article 28 – Processor – company A needs to sign a Data Processing Addendum with company B, after they have performed a minimum due diligence on the supplier to make sure that company B offers the same level of protection for personal data as it is offered by company A.
At Advisera we have a great EU GDPR Premium Documentation Toolkit that can help you achieve compliance in this case. We have templates for Privacy Notice, Supplier Privacy Notice (that should be sent by Company A to Company B’s employees), Processor GDPR Compliance Questionnaire, Supplier Data Processing Agreement etc.