Sign Up

What is 8 + 4?

Have an account? Sign In Now

Sign In

What is 8 + 4?

Forgot Password?

Don't have account, Sign Up Here

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

What is 8 + 4?

Have an account? Sign In Now

Please type your username.

Please type your E-Mail.

Please choose an appropriate title for the question so it can be answered easily.
Please choose the appropriate section so the question can be searched easily.

Type the description thoroughly and in details.

What is 8 + 4?

Sign InSign Up

Watercooler by DPOrganizer

Watercooler by DPOrganizer Logo Watercooler by DPOrganizer Logo

Watercooler by DPOrganizer Navigation

Search
Ask A Question

Mobile menu

Close
Ask a Question
  • Home
  • Categories
    • GDPR
    • Privacy Management
    • Professional Development
    • Software tips and tricks
    • Polls
  • Help
  • About Watercooler
Home/ Questions/Q 5182
Next
In Process
Simon
Simon

Simon

  • 1 Question
  • 18 Answers
  • 0 Best Answers
  • 19 Points
View Profile
  • 0
Asked: March 24, 20212021-03-24T09:58:39+01:00 2021-03-24T09:58:39+01:00In: GDPR

Notification of changes to data processors

  • 0

Article 28(2) allows controllers to provide a general authorisation to processors to engage another processor to conduct the processing providing that processors inform the controller. What would be a reasonable notice time?

Would it make sense to have a tapered schema based on the volume and sensitivity of the data processed, and the magnitude of the changes to the sub-processors?

  • 2 2 Answers
  • 0 Followers
  • 0
Answer
Share
  • Facebook

    2 Answers

    • Voted
    • Oldest
    • Recent
    1. Dave_Wylie

      Dave_Wylie

      • United Kingdom (UK)
      • 10 Questions
      • 28 Answers
      • 0 Best Answers
      • 26 Points
      View Profile
      Dave_Wylie Bronze contributor
      2021-03-24T13:12:30+01:00Added an answer on March 24, 2021 at 1:12 pm

      The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA’s / LIA’s etc as part of that exercise so they can amend their own records and make the decision if they are happy with the risk change.

      I have seen time periods in Controller to Processor agreements that vary from a minimum of 30 days to 90 day for changes in processing supply chain scope within the DSA (Data Sharing Agreements)

      It also depends how much the Processor (Controller in their own right) has their own house in order with respect to Vendor due diligence and notification to parties that they process on behalf of .. but as you mention they should be taking a risk based approach to the activities of the new processor … more lead time for more risk and sensitive personal data sets .. that are in scope.

      Hope that helps.

      • 1
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
    2. Dean

      Dean

      • 0 Questions
      • 41 Answers
      • 0 Best Answers
      • 41 Points
      View Profile
      Dean Silver contributor
      2021-03-29T11:36:42+01:00Added an answer on March 29, 2021 at 11:36 am

      I agree with Dave here. The determination is linked with the amount of time that is needed to assess the sub-processor. Likewise, anything from 30 days upwards.
      I’ve usually built into the clause a way to back out of the processing relationship if the Controller really does have an issue with the suggested sub-processor.

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn

    Leave an answer
    Cancel reply

    You must login to add an answer.

    What is 8 + 4?

    Forgot Password?

    Sidebar

    Ask A Question

    Trending contributors

    Smurf333

    Smurf333

    • 12 Answers
    Bronze contributor
    Dave_Wylie

    Dave_Wylie

    • 28 Answers
    Bronze contributor
    CRodica

    CRodica

    • 6 Answers
    Rising star contributor
    Atis

    Atis

    • 4 Answers
    Ian G

    Ian G

    • 5 Answers
    Rising star contributor

    Recent questions

    • Ian G

      Revoke.com - new third party portal for customer right requests

      • 0 Answers
    • Anonymous

      Instagram!!

      • 0 Answers
    • Olga

      DPO in EU and UK

      • 2 Answers
    • Smurf333

      DBS scenario with HR retaining excessive information for longer than ...

      • 2 Answers
    • CRodica

      Parties role towards employees data for administrative purposes

      • 0 Answers

    Explore

    • Home
    • Categories
      • GDPR
      • Privacy Management
      • Professional Development
      • Software tips and tricks
      • Polls
    • Help
    • About Watercooler

    Footer

    Your privacy

    • Cookie notice
    • Privacy notice

    Terms and policy

    • Acceptable Use Policy
    • Terms of Use

    © 2021 DPOrganizer. All Rights Reserved. With Love by DPOrganizer.