Evaluation of third parties GDPR
The accountability principle introduced by the GDPR requires the controller to ensure optimal compliance of its organisation and to be able to demonstrate compliance with the rules on personal data protection. This accountability principle implies that the necessary documentation must be drawn up and that only subcontractors who ensure effective protection of personal data should be used.
The choice to outsource a service or to use a third-party solution is not a decision to be taken lightly. Subcontractors can be a source of high risk as the client has no real control over them. The service provider will have access to the data collected by the controller and will use it on behalf of the client. As the client is responsible for the compliance of his own data, he must ensure that all data he collects are processed in a compliant manner by these providers.
According to Article 28.1 of the GDPR, the controller must only use processors who offer sufficient guarantees as to the implementation of technical and organisational measures. This obligation requires that the processes of third parties be monitored and their compliance with the regulation be demonstrated. This requires an assessment of the service provider’s compliance and regular monitoring of its processes:
- Sending a questionnaire. A prior analysis of the processor’s level of compliance is necessary to determine its maturity in terms of personal data protection. This assessment can be made by means of a questionnaire which will make it possible to identify the level of risk that the use of the third party in question may generate.
- Examination of the documentation. As the controller must demonstrate that its subcontractors comply with their legal obligations, it must check that the service provider holds the necessary documentation to prove its effective compliance.
- Identification of sub-processors. The processor should only use subcontractors with sufficient guarantees. Furthermore, under Article 28.2 of the GDPR, the processor must not recruit another processor without the prior written consent of the controller. The latter must therefore ensure on the one hand that the subcontractors of its service providers present sufficient guarantees and on the other hand that a customer authorisation process exists in the event of new subcontractors.
- Decision-making. The choice made should certainly be made in favour of the subcontractor who presents no doubts as to its real compliance. Furthermore, this subcontracting relationship should be governed by a contract or other legal instrument specifying the rights and obligations of each party.
- Regular audits. The evaluation of third parties is not a one-off action. Regular audits should be carried out to verify their level of compliance and the updating of mechanisms and processes. In the event that the level of compliance is no longer satisfactory, the use of another provider would be necessary.