Lesson 4
Data processors - what must you consider?
What do I have to consider regarding data processors?
Not every external service provider who receives access to personal data from you is automatically a processor. There are in principle 3 possibilities of a “data processing relationship”: joint accountability, data processors, or transmission (function transfer). You only need a data processing contract in the case of a data processor relationship.
An example: You and your partner company that helps you with the monetization of your customer data or takes on parts of management are mutually responsible. Here, you both determine the means and purpose of data processing. On the other hand, a transmission of functions exists precisely when data processing as such only plays a minor role. This would be, for example, an external accounting firm or a security service. On the other hand, it is clear for a processor: they are acting under your explicit contract and, as the controller, you determine the purpose and means of data processing. You should then enter into a data processing agreement with them.
It is therefore best to make a list of providers with whom you exchange data. You should also check which form of “relationship” exists every time you transmit to a provider.
What should be done regarding processors?
A processing contract (often known as a data processing agreement) must additionally be closed with every third party provider. This is nothing more than a formal agreement between you and the third party regarding the GDPR compliant elicitation, processing and use of personal data.
If you use processors outside of the EU, for example in the USA, you may find that these do not offer a data processing agreement for your customers/partners. In this case, you should consider rethinking your choice of tools. This gives you the opportunity to optimize your internal processes whilst at the same time revising them in accordance with the GDPR.
Note: When working with a provider from a third country, check whether it is a safe or unsafe third country. Safe third countries are those which the EU considers to have adequate arrangements, or US companies who can produce a Privacy Shield certificate. If this isn’t the case, it can be considered to be an unsafe third country. You then require an EU-specified contract model, also known as the “model clause” contract.
You can find more details here:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
You can continue working with these providers:
We contacted third party providers who are often used by our vendors and affiliates and received answers from the following providers (as of 01.10.2018).
A data processing agreement is offered. https://capsulecrm.com/dpa/.
A data processing agreement is offered. This can be activated in your account.
No agreement is necessary as it is a plugin. This is installed directly on the customer server and no data is therefore sent to DigiMember.
The data processing agreement can be entered into directly in your account.
Klick-Tipp has been offering such agreements for a long time and should be the first choice for anyone wanting to operate data protection-compliant email marketing. Since the majority of the Klick-Tipp team is based in the EU, they are always up to date on the subject of GDPR compliance. They have always been the front runners regarding GDPR and drew attention to GDPR, which has existed since 2016, years ago.
The data processing agreement can be entered into directly in your account.
A data processing agreement can be entered into via the following link: https://swissmademarketing.com/data-processing-agreement/.
A data processing agreement can be entered directly in your account.
No agreement is necessary as it is a plugin. This is installed directly on the customer server and no data is therefore sent to Wishlist.
Zapier offers a common data processing agreement. This can be found here: https://zapier.typeform.com/to/TcS4pD
