|
|
|
|
|
|
by lmkg
1362 days ago
|
|
|
Under GDPR, if you use a third-party tools, and those tools process user data (including just being loaded onto the page from a third-party server, because that requires processing IP Address), then your arrangement with that third party must describe the processing that they are going to perform. The description of processing is often a separate document from other contract stuff, called the Data Processing Agreement (DPA), but that's a convention and not a requirement. Your responsibility is making sure that data processed under the terms of that agreement conforms to GDPR. Your primary responsibilities are the articles in Chapter 3 "Rights of the Data Subject" under GDPR, and making sure you can do that for data sent to the third-party. Their responsibility is making sure that data is only processed how they describe it in the DPA. If they surreptitiously add Google Analytics, that's their violation. If the contract is too vague to tell what processing is going on, then that is your violation for choosing to engage with them as a processor. In practice this might be your biggest risk. |
|
|