Controller vs processor (and subprocessors)
The GDPR separates the responsible parties to data protection into two categories.
Controllers - the party that determines for what purposes and how personal data is processed
Processors - the party that processes personal data on behalf of controllers
Under the GDPR, in most cases, the ShopWired user will collect the information from their website visitors and buyers as a controller.
ShopWired acts as the processor for the ShopWired user with respect to this data.
Where the ShopWired user acts as the processor, ShopWired will act as a sub-processor.
Obligations of a data processor
Generally speaking, compliance with the GDPR means that the processor can only process personal data where it has been authorised to process that data by the controller. Our authorisation to process personal data is covered by the Data Processor Agreement.
Other obligations are also imposed by the GDPR on processors:
A processor must notify and obtain consent from the data controller when it transmits personal data to a sub-processor. As discussed here, ShopWired uses sub-processors to provide the ShopWired platform and service:
• Storing platform data
• Providing help and support to ShopWired users
The sub-processors used by ShopWired may vary, from time to time. A full list of data sub-processors is available on request. Any sub-processor used by ShopWired will be fully vetted and compliance with the GDPR will be ensured.
Any time a change is made to the way that data is processed, a Data Protection Impact Assessment must be conducted if that change is likely to result in a higher risk to individual's privacy rights.
Processors must notify to controllers any breach in processor security.
Processors must appoint a Data Protection Officer.
Obligations of a data controller
The GDPR obligates data controllers to help data subjects exercise their rights under the regulations such as access to that data or rectification of incorrect data.
Controllers must ensure that their email marketing practices also comply with applicable requirements of the GDPR in relation to e-marketing and anti-spam.
Where data is processed in relation to individuals under the age of 16 years (younger in some EU member states), parental consent must be obtained prior to processing.
Some data subjects may be entitled to a higher level of consent.