Evaluation of third parties GDPR
The accountability principle introduced by the GDPR requires the controller to ensure optimal compliance of its organization and to be able to demonstrate compliance with the rules on personal data protection. This accountability principle implies that the necessary documentation must be drawn up and that only subcontractors who ensure adequate personal data protection should be used.
The choice to outsource a service or to use a third-party solution is not a decision to be taken lightly. Subcontractors can be a high-risk source as the client has no real control over them. The service provider will have access to the data collected by the controller and will use it on behalf of the client. As the client is responsible for the compliance of his data, he must ensure that all data he collects are processed in a compliant manner by these providers.
According to Article 28.1 of the GDPR, the controller must only use processors who offer sufficient guarantees to implement technical and organizational measures. This obligation requires that the processes of third parties be monitored, and their compliance with the regulation be demonstrated. This requires an assessment of the service provider’s compliance and regular monitoring of its processes:
- Sending a questionnaire. A prior analysis of the processor’s level of compliance is necessary to determine its maturity regarding personal data protection. This assessment can be made through a questionnaire which will make it possible to identify the level of risk that the use of the third party in question may generate
- Examination of the documentation. As the controller must demonstrate that its subcontractors comply with their legal obligations, it must check that the service provider holds the necessary documentation to prove its effective compliance
- Identification of sub-processors. The processor should only use subcontractors with sufficient guarantees. Furthermore, under Article 28.2 of the GDPR, the processor must not recruit another processor without the prior written consent of the controller. The latter must therefore ensure, on the one hand, that the subcontractors of its service providers present sufficient guarantees and, on the other hand, that a customer authorization process exists in the event of new subcontractors
- Decision-making. The choice should undoubtedly be made in favor of the subcontractor, who presents no doubts about its actual compliance. Furthermore, this subcontracting relationship should be governed by a contract or other legal instrument specifying the rights and obligations of each party
- Regular audits. The evaluation of third parties is not a one-off action. Regular audits should be carried out to verify their level of compliance and the updating of mechanisms and processes. If the level of compliance is no longer satisfactory, using another provider would be necessary
