What are the GDPR obligations of subcontracting companies?
A subcontractor can be defined as any person processing personal data on behalf of and under the direction of the data controller. The subcontractor is distinguished from the data controller who defines the means and purposes of the processing.
For example: the data controller must pay his employees and generate pay slips. He can absolutely choose to delegate this mission to a third party. The legal entity which processes personal data, to ensure payroll management, is then a subcontractor. It carries out data processing for the data controller.
You can also watch our replay webinar on the subject.
The response to the survey: "Does the subcontractor have to keep a processing register? "
During a survey carried out on November 9 on our LinkedIn page, we asked you if the subcontractor must keep a processing register.
You were strong! Out of 157 voters, 92% of you voted yes. This is indeed the correct answer, the subcontractor must keep a processing register.
Article 30 of the GDPR requires the subcontractor to keep a so-called subcontracting register. This is similar to the processing register which falls under the activities of the data controller. However, these registers do not contain exactly the same information. The information that must appear in the subcontracting register according to the GDPR is as follows:
· identities of the data controller and the subcontractor,
· treatment category,
· transfer outside the European Union,
· security measures implemented.
What are the subcontractor's obligations?
1. The obligation of transparency and traceability
The subcontractor has an obligation of transparency and traceability of data towards the data controller who delegates all or part of his activity to him. Article 28 of the GDPR recommends establishing a contract between the parties setting out their reciprocal obligations.
The processor must demonstrate its compliance efforts to the controller by carrying out audits and maintaining a subcontracting register, for example.
The processor must guarantee that the data is processed according to the instructions of the controller.
2. The obligation to respect the essential principles of the GDPR
The subcontractor must ensure that the tools it uses respect the principles of privacy by design and privacy by default. That is to say that from their design and by default they respect the GDPR.
3. The obligation to guarantee the security of the data that is processed
The subcontractor must guarantee that the data it uses are processed in ways capable of guaranteeing an adequate level of security and confidentiality in relation to the risks incurred for the persons concerned as a result of the processing. It must therefore implement technical and organizational measures capable of ensuring such a level of security by notably implementing physical and logical security measures.
4. The obligation to alert, advise and assist
The subcontractor's duty is to advise the data controller on the use of the data. He must also alert him in the event of a risk such as in the case of a security incident. He must also assist him if necessary in the event of a request to exercise rights. Generally speaking, he is subject to an obligation to collaborate to assist the data controller. It is appropriate to precisely define in the contract the terms and scope of this collaboration to avoid any difficulty on the day it must be implemented.
Data Comply One software (formerly Mission RGPD) and subcontractors
With Data Comply One (formerly Mission RGPD), you can audit your subcontractors using our audit models. You also have the option to create your own custom audits.
If you are a subcontractor yourself, Data Comply One (formerly Mission RGPD) guides you to create your subcontracting register and your incident register.
Don't waste any more time, it's so simple!
