What is meant by “other processors” in the Art. 28 (2) GDPR? Are these service suppliers who provide the core product or every supplier who provides any necessary services for the core product?
Art. 28 (2) GDPR in the online marketing industry covers basically every service provider who processes personal data on behalf of the controller.
ePrivacy recommends the following procedure when dealing with processors:
- First of all, all service providers should be identified in order to determine which of them are processing personal data on behalf of the controller.
- Usually, these are for example hosting service providers, monitoring service providers, technical targeting systems, etc. In fact, the controller must conclude data processing agreements (DPAs) with all these service providers, which process personal data on behalf of the controller.
- These service providers must be named in the respective DPA with the customer. In the online marketing industry controllers often have lots of customers on one side and numerous service providers on the other. In this case it is simply impracticable to obtain the consent of all customers each time a service provider is exchanged.
Therefore there are several more practicable ways to deal with this matter that are now established in practice:
a) The “strict option”: in some cases, customers actually insist on the “strict option”. This means that they want to be informed each time a service provider is exchanged and that consent must be obtained in each individual case.
b) The “middle option”: instead of mentioning service providers by name in the DPA, a link to a microsite is stated in the DPA where the respective service providers are listed. At the same time, the DPA includes a note that, in the event of an exchange of a service provider, the customer will be informed by a round mail and will agree to the exchange of the service provider if no objection is raised within 14 working days of receipt of this e-mail.
This means that the customer has an overview of the current status of the service providers via the microsite at anytime and he/she is also informed by a round mail if a service provider is exchanged. The controller has a comparatively practicable arrangement in this case as well. We therefore recommend this option.
c) Another option is to name the service providers in the DPA instead of the microsite. At the same time, the corresponding service provider clause contains a sentence, which reads as follows:
“The controller is entitled to replace the service providers specified in the enclosure. If the controller makes use of this option, he/she shall inform the customers in a round mail about the exchange of the service provider. The customer has the opportunity to object to this within 14 working days. If there is no objection, the replacement of the service provider shall be deemed to have been approved”.
(This means that a microsite is not used, which makes the situation somewhat unclear and unmanageable. Nevertheless, we consider this solution to be acceptable).