Third parties who deal with our company data. Danger!

RGPD

Author: Fabián Plaza Miranda

In May next year the General Regulation of Data Protection (from now on, RGPD), will enter into force. As is well known, this legislative text adds new obligations for all those people or companies who deal with personal data. That’s why it’s necessary to adjust little by little, taking advantage of this transition time, seeking to avoid deep organizational changes, when the time is about to be over.
We already know some of the modifications that must be done:

  • Drafting new legal and informative texts for all concerned,
  • Creating an application framework for the new rights (like the right to data portability or the right “to be forgotten”),
  • Hiring adequate staff (Expert in Data Protection),
  • Preparing impact assessments,
  • Data protection from design,
  • Implementation of protocols in case of stored data security violations,
  • Etcetera.

However, there’s a side that deserves greater attention: the regime for the manager of data processing.
Most companies have hired managers, without knowing anything about this side. It is risky, as they may be in breach of RGPD. And it can bring several penalties.

First thing to do is asking What is a manager of data processing? The RGPD defines it as “the natural or legal person, public authority, service or agency that processes personal data on behalf of its processing responsible.”
To explain it easily, the manager of data processing is any person who has access to our personal data files in our behalf (for example, to provide a service). Publicity agencies that advertise by mail for us, the agency that does the bookkeeping or the external service for data entry, belong to this category.

When we hire them, we must be sure that they also fulfil the obligations of the RGPD, for example:

  • Do they know how to process the data in the way that RGPD requires?
  • Do they dispose of appropriate security measures?
  • Do they know how to notify in case of any security violation?
  • Do they need a Delegate in Data Protection? If they do, does he have the attributions that the RGPD requires?
  • If applicable, does he register the course of the processing?
  • Etcetera.

It’s important to note that RGPD states you can only choose managers of data processing that can give guarantees. Otherwise, it can bring several penalties, as said before.

That’s why from Casaparaula we recommend to:

  1. Check out all contracts with data processing managers, to be sure they comply with regulatory requirements.

  2. Prepare the new contract clauses that are going to be required next year.