If you are going to outsource aspects of data processing to third parties you not only have primary responsibility for your own compliance but also for ensuring the compliance of your Processors.
This means that, regardless of the terms of the contract with a Processor, you as the Controller may be subject to any of the corrective measures and sanctions set out in the GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines.
You are responsible for assessing that the data processor is competent to process Personal Data in line with the GDPR’s requirements taking into account the nature of the processing and the risks to the data subjects.
You must ensure your Processors compliance on an ongoing basis in order for you to satisfy the accountability principle and demonstrate due diligence. In particular, GDPR explicitly requires the Processor to allow for and contribute to audits and inspections, carried out either by the Controller or a third party appointed by the Controller. The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing.
There is also a separate requirement to have a GDPR compliant contract in place and give the Processor documented instructions to follow (either in the contract or separately). The contract must ensure that the processing of Personal Data, by a Processor, will comply with all the GDPR’s requirements and protect the rights of data subjects. The GDPR sets out specific minimum terms that need to be included in the contract.
Share our skills | Meet your duties
Questionnaire-based diligence check on data processors £50
Processing contract if required
Annual payment of £100 (waived for reputation advocates)
Processing Contract template £99
Data Protection Audit £300 per day plus reasonable travelling expenses