I really appreciate you taking the time to respond, and promptly too.
I am not a legal expert - merely someone who has been (perhaps overly) submerged in last year’s GDPR introduction. However, I do have a follow-on to your response if that’s OK:
- I agree, you cannot possible know everything I might do with data I collect. But that is my responsibility.
But GDPR states that you (QF) must only process data in line with the Processor’s instruction. So, I’m guessing you could state that in the context of what QF allows the Controller to do in your software.
I note that even simply storing and backing up the data (on your servers) is also classed as “processing” even though you are not actually changing the data yourselves.
Again, re your privacy notice, I read this as being related to MY data. NOT the data of my clients. Sorry.
- I would like to refer you to the ICO site: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Specifically there is a section titled “What role do processors have?” relating to Article 33(2).
This is a key requirement.
So - although you have internal controls on how you handle data breaches, you must have a process that deals with breached of processed data (where you are the processor). Which much include notification policies, at least as I read it.
3). Gotcha. Thanks. I look forward to that.
Overall, it is my belief that a standardised DPA (Data Processor Agreement) which exposes the necessary protocols would help enormously. Referring back to the ICO, please see the “At a glance” introduction. This kinda says it all, and I suppose was the reason for me making my posting here.
Again, I know that a specific DPA “per client” would be impossible.
However, if you were to look at how other organisations have approached this (and there are some excellent examples out there) - they have created either an addendum to their policies or created a standard DPA that their clients must agree to. In other words, you retain control over those agreements.
But I take the view that without an appropriate DPA (or clauses) - it cannot meet the GDPR requirements as set out my the ICO.
Again, thanks you for your response to my posting.