Question about privacy notification
Assign topic to the user
From the details you provided, most likely company A is a Data Controller and company B is a Data Processor for company A. However company B, for its own public website, is a Data Controller so that’s why they have a Privacy Notice. The Data Controller needs to take all technical and organizational measures to demonstrate compliance with GDPR, per Art 25 - Data protection by design and by default. That is why, according to Article 5.1.a – the principle of lawfulness, fairness and transparency – and to Article 13 – Information to be provided where personal data are collected from the data subject – company A is accountable for how it informs its own data subjects about the processing operations carried out by company B on its behalf. So company A should take, with the help of company B, all steps to make sure that the data subjects using the company B services purchased by company A, are informed. Also, according to Article 28 – Processor – company A needs to sign a Data Processing Addendum with company B, after they have performed a minimum due diligence on the supplier to make sure that company B offers the same level of protection for personal data as it is offered by company A.
At Advisera we have a great EU GDPR Premium Documentation Toolkit that can help you achieve compliance in this case. We have templates for Privacy Notice, Supplier Privacy Notice (that should be sent by Company A to Company B’s employees), Processor GDPR Compliance Questionnaire, Supplier Data Processing Agreement etc.
Please consult these links as well:
- EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/
- Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
- Article 13 GDPR - Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr-text/rights-of-the-data-subject/information-and-access-to-personal-data/
- Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
- Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
Comment as guest or Sign in
May 12, 2022