The role of a subcontractor in relation to the RGPD

Your business may place you in the category of a data processor under the GDPR, meaning individuals or companies that manage data for your customers.

If you are for example a web agency, a consultant, a company sending mail for your clients, an application manager, a financial intermediary, etc., you manage personal data that are entrusted to you by your clients and that you will have to process according to their instructions.

You will therefore receive contracts from the data controllers you work with. Today, there are no standard clauses or contracts proposed by the data protection authorities. It is important to read these contracts carefully.

You can of course compare them with the standard contract that we propose in the "subcontractors" section.

If you wish, you can submit it to your DPO, a legal expert or a lawyer specialized in RGPD.

In order to GDPRfolder to be permanently up to date with the evolutions of the regulation on data protection, and in order to better inform our customers about their obligations, we have adapted the content of the section "processing carried out by subcontractors" of the questionnaire of GDPRfolder so that you can understand what are your obligations as a subcontractor.

The complete list, proposed by the CNIL, is available in the questionnaire of GDPRfolder.

1. Request written authorization from your client if you yourself use a subcontractor (we recommend that you copy the list of subcontractors that you have established in the "my subcontractors" list and forward it to your client).
2. Make available to your client all the information necessary to demonstrate compliance with your obligations and to enable audits to be carried out (you can show your client the "RGPD file" that you can print out at GDPRfolder)
3. Demonstrate that your employees who process your customers' data are subject to a confidentiality obligation. (the RGPD file shows that your employees have signed a confidentiality clause)
4. Notify your customer of any data breach.
5. At the end of your service and according to your client's instructions, you must either delete all the data or send it back to your client or destroy the existing copies unless you are legally obliged to keep them.
6. When an individual exercises his or her rights (access, rectification, erasure, portability, objection, not to be subject to an automated individual decision, including profiling) you must, to the greatest extent possible, assist your customer in fulfilling that request.
7. Given the information at your disposal, you must help your client ensure compliance with security of processing, data breach notification and data protection impact assessment obligations.