GDPR and Disclosure of 3rd Parties
GDPR – DISCLOSING WHICH THIRD PARTIES YOUR BUSINESSES USES
GDPR is all about transparency and fairness and designed to
- create enhanced rights for individuals (data subjects) and
- increase accountability for those organisations who control and process data
Protecting data is vital within your business; breaches will mean not only a failure to comply with legislation but they also have professional ramifications and an adverse impact on your relationship with your client/customers and those with whom you work. Once your reputation in business is damaged then it’s bound to have a negative impact on your profits too.
- who you are (name and contact details of the person appointed as a data protection officer or responsible for data protection) and
- why you are collecting and generally processing personal data and
- who you are going to share it with.
This means naming the third parties with whom you share data. So, for example, if you use MailChimp to engage with your customers/clients then you must include them, by name, in the list of organisations you share data with. You also need to check that they’re GDPR compliant, which is another blog in its’ own right.
The problem is that as a business you will have worked hard to source suppliers and other third parties that help make your business great. You’re probably quite happy telling your customers/clients about them. However, if you’re honest, there will probably be a part of you that resents sharing this information with some others – say, for example, your competitors. The problem, you may feel, is that once it’s visible on your website, it’s there for those whom you want to see as well as those who you prefer don’t.
Can you avoid naming 3rd parties under GDPR?
It depends. Guidance from the Article 29 Working Party says that you should name third parties with whom you share data unless you can demonstrate that it’s fair to provide only details about the categories of third parties rather than their names. So, for example, instead of naming MailChimp you could state that you share data with marketing partners (you must provide some more detail about each category too).
When is it fair not to name the third parties with whom you share data under GDPR?
“Commercial interest” (such as “I don’t want my competitors to know”) is most unlikely to be a fair reason for non-disclosure. If, for example,
- your third parties are constantly changing AND
- you keep a list of them AND
- you make it clear that data subjects can ask you for a copy of that list
then you may be okay. There is no guidance on what’s fair, so nobody will tell you that changing your suppliers every week is acceptable. It’s part common sense and part fairness.
Half-way house to naming 3rd parties under GDPR?
For some businesses, a “half-way house” option may be worth considering. This way you can
- provide the names of some third parties who are regulars, for example, IT maintenance, because you have a 3-year contract with them and
- use categories for others, such as your marketing partners if your organisation is constantly chopping and changing third-party suppliers to do this
Remember though that you must make sure that
- you hold an up-to-date list of all the third parties (adding and deleting as they change) with whom you share data AND
- you tell data subjects who to contact to get an updated list of those third parties AND
- you supply that up-to-date list of third parties with whom you share data when asked.
If you’d like a free clause which you can adapt to use to name some supplier but provide categories for others please let us know by emailing email@example.com Would you like a No Obligation FREE Chat about how we can help you with GDPR? Call 01244 300413 or email firstname.lastname@example.org
About The LH Group
Call us on 01244 300413
We help businesses stay safe – our risk management consultancy offers clear answers and problem solving for your risk questions.
What People Say
Top Class, our terms are amazing, well writen and to the point. thankyou.
Sue and her colleagues are brilliant at what they do, and Sue is an exceptional person – seriously bright, focused, funny, accurate and immensely pragmatic. She cuts straight to the nitty gritty of what you need and what your options are – and is always honest and utterly straightforward. There are numerous superlatives I could use to describe her, but I would be in danger of gushing – and she’d hate that.
Quick, fantastic communication and a smooth transaction all around. LH Group provided a professional, detailed service and I would happily recommend them emphatically.
Fantastic work! Law Hound really understood what I needed and their knowledge and experience made sure that every possible angle was covered.
Delivered the document in excellent time for a good price, very pleased with the service and would definitely use LH Group again for any other work like this I may require.
Direct and to the point. Thanks for including the resources for download, they’re helpful.
Another outstanding job by LH Group. 5 Stars again, all well deserved for punctuality, diligence, attention to detail, and flexibility re post job support.
Very please. Extremely helpful and friendly.
very happy with the professionalism and the services provided
Susan is fantastic with a vast knowledge within law, she is extremely approachable, trustworthy and honest. Sue takes great pride in making sure that she offers the best service in the market and in my experience always delivers the highest quality of work and i would recommend Sue to anyone looking for any legal work to be carried out!!