Do you need to list any data processor or organisation that personal data is shared with on a provacy notice or is categories sufficient ?
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Barry Moult
I agree with Hellen. I do advocate some indication who data might be shared with. “we share your data with others” If the list is likely to be long, at least give me some indication as to who is might be. (if in health)
“such as” – local NHS Trust, GP, NHS Commissioners for special funding….. etc
Then tell them who to contact to find out more
Chris Roberts
There is also a risk that you expose the business to cyber-attacks if you identify the companies by name, that are your Processors. I would never advocate that. Listing organisation types such as “Our Marketing Agency”, “Web Developer”, “eLearning Provider”, “Financial system provider” is in my view adequate as long as you have the detail within the business (this is your RoPA) and you provide the details for someone to obtain more detail if its appropriate to share it.
Elisavet D.
Well, article 13 GDPR states that you need to inform data subjects regarding any recipient of their personal data. But at the same time the privacy notice has to be “reader-friendly” aka short. I would recommend either a layered privacy notice, meaning having a link where data subjects can click and see your processors or provide an email address where data subjects can send you a request. Make sure you have an updated document to be sent in these cases, so that you won’t have to check at the last moment 🙂
HellenB
My understanding is that if you are a publicly funded body whose suppliers are appointed by public tender then it is appropriate to list who they are, providing of course the list isn’t overly long, as part of the organisation’s overall transparency efforts. But there is nothing in law that I know of that forces you to do this.
Otherwise staying generic is fine (providing of course you know who they are and have a full record in your RoPA).