During the first stage of a compliance project, it is smart to structure your data. This means, finding all the systems containing personal data and knowing who the system providers are. Once you understand the first level of where the data is, you should be able to identify who is processing the data. In article 4(2), this is defined as any operation or set of operations which are performed on personal data or sets of personal data, whether or not by automated means [article 4(2) of GDPR]
A vendor can be an individual or organisation that provides a system and is responsible for the operations that the system is performing.
Read the following example:
- Jens is employed in a law firm in Germany.
- The HR department processes his file and keeps it in a file folder.
- The company, at the same time, use a payroll system to deposit Jens'' salary every month to his bank account.
This scenario contains individuals and groups that play different roles in processing data. The first is the subject of the personal data - Jens - whose personal data is processed when he is hired and when he receives his salary. The second role is performed by the organisation which decides how and why the personal data is processed, i.e. when they hired Jens and when they pay him, meaning they play the role of the data controller. The data processor, in this case, is the organisation or individual (vendor) that processes Jens' personal data, to execute the payment, through their system(s), on behalf of the data controller.
To be able to answer if the vendor is a data processor, you need to understand their roles, so let's take a look into them:
Role of a data controller:
A data controller decides how and why the data is collected. They are the ones that determine the reason why the data is processed, why it is going to be used, who is going to use it, who to share it with, and what you are going to use it for.
Role of a data processor:
A data processor should not have decision-making autonomy. They can't do anything more than what the data controller tells it to do.
The distinction between controllers and processor may not be simple, h. However, article 4(7) of the GDPR distinguishes the controller as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the other hand, a processor is defined in article 4(8) as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
With these concepts in mind, you can complete the vendor information in your Wired Relations account!
Let's start by assigning a member of your organisation, who is, or should be, responsible for the use of the vendor. This person is typically the same as you designated as responsible for the system.
To complete the vendor overview, you need to be able to answer if this one is a data processor or not. This requires assessing whether they are performing any actions with your data. For example, if you have a cloud service provider to store your information, the activity they are performing is "storage". If they are processing data, the answer is yes, otherwise you can complete not sure and ask for a legal evaluation from a member of your organisation.
If the vendor is processing data, you should have a DPA agreement between the parties. A legal evaluation usually is advised to define it is compliant or not. You can answer the question with: "not sure" in case you have a DPA, but the legal evaluation is not precise.
The last step is to attach all the documentation you have from the vendor so that all the information can be found in the same place. Once you complete all the steps, don't forget to change the vendor status from ''Not started' to ''in progress'' or 'done'.
This way, you will always have an updated overview of the state of your vendors.