|
|
|
|
|
|
by robgough
2528 days ago
|
|
|
In response to your final question, this[1] document from the UK's ICO has some interesting info. Essentially you're either a Data Controller (that would be your site in this example) or a Data Processor (Fathom, in this case -- probably?!). "64. The ICO cannot even take action directly against a processor who is entirely responsible for a data breach, for example by failing to deliver the security standards the controller has required it to put into place. However, in these cases the ICO may decide not to take any enforcement action against the controller if it believes it has done all it can to protect the personal data it is responsible for and to ensure the reliability of its processor, for example through a written contract. However, whilst the ICO cannot take action against the processor, the data controller could take its own civil action against its data processor, for example for breach of contract." Though it goes on to say that in some circumstances, the processor can _become_ a controller, in which case the ICO can go after it. [1]: https://ico.org.uk/media/for-organisations/documents/1546/da... |
|
|