It’s fairly common for an organisation to pass on the actual handling of data to a third-party organisation. Sometimes never even seeing, or having access to, the data themselves at all. This doesn’t mean that they’re exempt though.
The GDPR identifies two kinds of organisations who have responsibilities under the regulations - Data Controllers and Data Processors.
At the top of any chain of data flow is the Data Controller. This is the organisation who makes the data decisions: what data they need, why they need it, how they’ll get it, what they’ll do with it, how they’ll store it, and so on…
Below the Controller is the Data Processor (often there’ll be many Processors who themselves sit above a chain of sub-processors, but let’s not complicate things). A Data Processor handles data on behalf of a Controller…and that’s it. They have no ‘control’ over the data, they make no decisions – they act solely on the instructions of a Controller.
It’s impossible to have a Processor without a Controller sitting above them somewhere, telling them what to do with the data. Conversely, it’s impossible to have data handled by a third-party Processor on your behalf, without being the Controller – and Controllers have a whole heap of duties to perform under the GDPR (regardless of whether they actually process data themselves or not).
Since the Data Controller is the organisation which decides how and why data is being collected, that means they’re responsible for ensuring that they have a lawful reason for doing so; it also means that they need to assess the “risks of varying likelihood and severity to the rights and freedoms” of the people whose data is being processed; they need to ensure that they, and any processing organisations they employ, have appropriate technical and organisational safeguards in place (this is usually done by way of a Data Processing Agreement between them and third-parties); and they need to be able to demonstrate their compliance if ever called upon to do so.
So, whether your organisation both controls and processes data, or whether it just instructs third-party processors, you are still bound by the GDPR and need to perform your duties in full.
GDPR eLearning courses
With our GDPR eLearning courses, you can get your organisation on its way to compliance in less than an hour. It's by far the easiest and most convenient way to get things sorted and you can get free trial access to either of our courses, at any time - it's a no-brainer!