20 Jan Third Party relationships under GDPR
The European Union’s General Data Protection Regulation (GDPR) regulates the relationship between controllers and processors.
A controller is a person or company that determines why and how personal data is processed. A processor is a person or company that processes personal data on behalf of a controller. This would typically be on the basis of a third-party contract, and the GDPR regulates this contractual relationship.
For example, when clients open accounts with a bank, the bank accumulates data about them. In this case, the bank is considered the controller. If the bank uses a third-party cloud services provider to house the acquired client data, the service provider is considered the processor. The GDPR stipulates certain contractual provisions that need to be in the contract between the controller and processor, including undertakings as to confidentiality, the deletion and returning of data upon termination of the contract, audits and inspections, and security measures.
As far as responsibility for security breaches is concerned, the GDPR requires that controllers implement appropriate cybersecurity measures and organizational processes to ensure that all data processing is performed in accordance with the regulation. If organizations fail to comply with GDPR regulations, fines are imposed on the controller and the processor depending on the extent to which they implemented technical and organizational measures to adhere to GDPR regulations.