JISCMail - DATA-PROTECTION Archives

As controller we are signing a processing contract - it is a novation of a pre-GDPR contract (bit late but let's not go into that). 

We are happy to give a general authorisation to appoint sub-processors. As we know Art 28(2) will require the processor to inform us "of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."

For some odd reason the processor is balking at telling us who the existing sub-processors are. Seems to think we do not need to know as we have given a general authorisation. Does anyone agree? Would you normally ask for a list?

My view:

It is part of our due diligence and inherent in GDPR Art 28(2) 

•  Being notified of changes makes no sense if we are not notified of the original sub-processors – what would be the point? Why notify us that B ltd has replaced C ltd if we did not know B ltd was appointed?

• Being notified that something is being / has been done is in no way inconsistent with a general written authorisation to do that something. 

• Most unlikely but we may wish to object to B ltd (e.g. it becomes 100% owned by the spouse of a senior manager). Again it makes no sense allowing us to object to a change – but not to an existing contractor. The ability to object is also in no way inconsistent with a general written authorisation to do something.

• Processor says “it would be operationally difficult ... to obtain the specific written authorisation for approval of existing, or changes to a sub-processor from every customer if it were to rely on prior specific authorisation”. This is a different issue. Authorisation and objection are not the same thing at all. We are not requiring specific authorisation and they are legally required to tell us of intended changes so "operationally difficult" is irrelevant in those cases.

Other contracts I have dealt with in similar form, providing general authorisation, have typically listed existing sub-contractors. I was surprised this one did not. I accept such a list does not need to be in the contract where we provide general authorisation, but that does not mean we are not entitled to know.

Problem seems to be that Art 28 is drafted assuming the sub-contract comes after the head contract so there would be no "existing" contractors only additions which would be notified, but in a novation / contract variation case that is not strictly true. 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^