Sharing and transferring personal data to third parties
It is useful to list all the organisations that you share data with on a regular basis. You will have already identified these organisations in your record of processing. Below are some examples.
It is important to distinguish between a data processor and a data controller as the obligations differ. Data controllers have the same obligations as you but data processors do not and, therefore, you must have a written contract in place to limit what they can do with your data.
For example :
| Data controller | Data subject | Share with - 3rd party data controllers | Share with - 3rd party data processors |
|---|---|---|---|
| law firm | potential clients | courts | client database if not sorted on your server |
| clients | solicitors 'on the other side' | your cloud-based server provider if not inhouse | |
| other relevant individuals witnesses, beneficiaries, executors | expert witnesses | supplier of confidential waste shredding | |
| Registers of Scotland | document storage company | ||
| Scottish Legal Aid Board | outsourced payroll | ||
| HMRC | supplier who photocopies large amounts of productions for court | ||
| financial advisers | |||
| Law Society of Scotland |
Sharing data with data processors
Your obligations
- Carry out due diligence on the processor
- Monitor compliance with the GPDR and your contract
- Have an appropriate written contract in place with any processor
The level of due diligence and monitoring compliance carried out depends on the risk inherent in the processing. A greater level of due diligence is expected if special category data is being processed on an ongoing basis.
Written contract
There are enhanced obligations on the controller to have a written contract with any third-party data processing under the GPDR.
The contract must set out the following:
- The subject matter of the processing
- The duration of processing
- The nature of processing
- The purpose of processing
- The type of personal data to be processed
- The categories of data subjects whose data is to be processed
- The rights and obligations of the data controller
The contract must include the following instructions to the data processor:
- The processor must only process the data on the instructions of the controller
- Any individual processing data for the processor must have a commitment to confidentiality
- The processor must take appropriate security measures
- The processor must assist the controller to comply with data subjects’ rights, including reporting any personal data breaches to the controller immediately
- The controller identifies whether the personal data should be deleted or returned to the controller at the end of the provision of services
- The processor must assist the controller with the provision of information for audit or inspection purposes
Sub-processors
If the data processor wishes to sub-contract any processing, they must obtain written authorisation from the controller. This can be provided in general terms in advance, but the processor must tell the controller the identity of any new sub-processor and any other changes. This allows you to ensure control over the data you hold and to advise the data subjects where their data is and what is happening to it, ensuring fair processing.
The processor should have a contract in place with any sub-processor to ensure that it has appropriate technical and organisational measures in place to ensure compliance with the GDPR. Any personal data breaches suffered by the sub-processor should be reported to the processor immediately.
Sharing data with other data controllers
There must always be a legal basis for sharing any personal data. Recipients (or categories of recipients) of the data must be identified in your fair processing/privacy notice.
Law firms should consider whether they require a written agreement to be in place with any organisation it passes data to. For example, you may wish to point out why the data is being shared and what should happen to it once there is no requirement for it to be processed by that party any longer. You should also consider security of processing and make attempts to ensure that the data will be held securely by the controller you are passing your data to.
This extent of this requirement will depend on the organisation and it is unlikely to be required when personal data is shared with the court, but perhaps should be considered when special category data is passed to an expert or other individual that the data controller has little knowledge of. Although these organisations or individuals have their own obligations as data controllers, you may decide to set out your expectations in your letter of instruction, particularly in relation to security and retention of personal data.
| Name | Status | Contract with new T&C;'s | Due diligence | Monitor |
|---|---|---|---|---|
| Case management system | processor | yes | statement from supplier | at time of contract renewal |
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
