Subprocessor or joint data controller?
Sous-traitant ou responsable conjoint : comment bien les distinguer pour réussir votre conformité RGPD ?
Compliance with the GDPR requires the identification of each personal data subcontractor.
Indeed, the compliance of a data controller does not end with the processing of personal data that he carries out directly but extends to subcontracted processing.
Identifying subcontractors is a prerequisite for two obligations:
- Ensure that Subcontractors provide sufficient guarantees as to measures to protect personal data
- Supervise and formalize each subcontracting relationship in a contract or a written legal act.
To comply with these obligations, you must first map all of your personal data subcontractors. However, identifying a subcontractor can be a delicate exercise. In question, a border between subcontracting and joint responsibility that is sometimes difficult to delineate.
In this video, I go back to this exercise and give you the keys to distinguish a subcontractor from a joint data controller:
- The distinction between determination of purpose and determination of means
- The set of clues to determine autonomy, an exclusive characteristic of the data controller
