Subprocessor or joint data controller?
Sous-traitant ou responsable conjoint : comment bien les distinguer pour réussir votre conformité RGPD ?
Compliance with the GDPR requires the identification of each personal data subcontractor.
Indeed, the compliance of a data controller does not end with the processing of personal data that he carries out directly but extends to subcontracted processing.
Identifying subcontractors is a prerequisite for two obligations:
- Ensure that Subcontractors provide sufficient guarantees as to measures to protect personal data
- Supervise and formalize each subcontracting relationship in a contract or a written legal act.
To comply with these obligations, you must first map all of your personal data subcontractors. However, identifying a subcontractor can be a delicate exercise. In question, a border between subcontracting and joint responsibility that is sometimes difficult to delineate.
In this video, I go back to this exercise and give you the keys to distinguish a subcontractor from a joint data controller:
- The distinction between determination of purpose and determination of means
- The set of clues to determine autonomy, an exclusive characteristic of the data controller
The latest news
Discover Adequacy
Let's discover together how Adequacy adapts to your reality on the ground.
