UK GDPR and SAFEcic customers;
As our original data protection systems were already more robust than required, few SAFEcic clients will notice any change at all. Please follow this link for our Privacy Policy
How does the UK GDPR define SAFEcic's role?
When an organisation purchases SAFEcic products or services, some personal data will need to be shared between that organisation and SAFEcic. The UK GDPR defines BOTH the purchaser and SAFEcic as “Joint Data Controllers”.*
As Joint Data Controllers, it is the responsibility of each Data Controller’s organisation to ensure its’ own compliance with UK GDPR and the Data Protection Act 1998. A public commitment to compliance such as The SAFEcic Privacy Policy is seen as sufficient for each organisation to show due diligence in ensuring the other is compliant. **
Written Contract? Not required with SAFEcic.
This page on the ICO website states that a written contract is needed in some circumstances:
“Whenever a controller uses a processor it needs to have a written contract in place.”
Having read this, some of our clients are asking; “Does my organisation need a written contract with SAFEcic?”
The answer to this question is no, because SAFEcic is always defined as a “Data Controller” rather than a “Data Processor”.
What is the difference between a "Data Controller" and a "Data Processor"?
a) A “Data Controller” has responsibility for how any data is processed and stored (including selecting any software used), how long that data is kept and how the data should be disposed of when that period expires.
b) A “Data Processor” has none of these responsibilities. Therefore a written contract is required to guarantee that the “Data Processor” behaves entirely in accordance with the instructions of the “Data Controller”.***
*See Article 26 of Regulation (EU) 2016/679 “Joint Controllers” (Replaces Article 26 of the EU GDPR).