I have the following discussion: are auditors, such as Ernst & Young or TUV, a Data Processor or an Other Recipient? Imo they are an Other Recipient and no processing agreement is required.
What do I think about this?
Data Processor or Other Recipient
Share
HellenB
Barry is absolutely right with regards to the ‘it depends’ answer.
To add another twist to this excellent question, there are instances where some professional service providers are considered to be agents rather than either a Controller or a Processor (an outsourced DPO for instance can be considered an agent).
The ICO do give examples of whether these particular organisations are a controller or processor in their guidance document:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/
I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to.
Barry Moult
Hi Hellen
I love your last sentence definition, i’m going to use to use it if you don’t mind, sums it up nicely.
“I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to”
HellenB
Barry – I’m very flattered 🙂
Be my guest.
Barry Moult
I suspect you will get a number of differing replies to this.
Of course the standard reply is going to be ‘it depends’. It depends what they are auditing.
What will they have access to? how will they have access?
In Health i have always treated auditors as ‘data processors’ and they only process the data as instructed in the contract.
Would you want a data processing agreement? I’ve been there when I felt the ‘contract’ was not specific enough of what they will be doing (or not doing) with the data and insisted on an agreement. (belt & braces)
Just think what could go wrong if its not clear 🙁
Dean
Hi Henk,
I would tend to agree that auditors are not processors, mainly because they are not operating to specific instructions for the purpose of processing data. I think they would have their own audit methodology and protocol for auditing and therefore would claim an element of autonomy.
So “other recipient”, subject to appropriate safeguards of confidentiality, of course.
Thanks, Dean
Alexander Sturing
I would like to add to Deans answer that it also depends on the type of audit. In some cases, audits are mandatory by law, this makes the auditor >not< being a data processor since it's not the controller determining what the auditor can audit, but specific legislation.
BlueBottle
I sign auditors up as processors, with a processor agreement and/or appropriate terms in their service agreement, NDA, etc.
The documented instructions of the controller include the instruction to audit us, and to access confidential information for the purpose stated in the contract, which should be narrow enough to constitute processing on the documented instructions of the controller.
I agree in theory that a contractor could be an agent, however if they are not an employee they are not part of the body corporate and thus are not the [original] controller.
We have an agency relationship with introducers, and they are both a separate controller and a processor at different points in the customer journey, but for the purpose of data protection law we never consider them to be acting as us.