Processors and subprocessors need to be listed in transparency information and in your website privacy policy

If you are using processors, as defined in Art. 28 GDPR, you need to list them in transparency information, Art. 13 section 1 lit. e GDPR. Consequentially your website privacy policy must list them, as privacy policies for websites are written along Art. 13 GDPR, provided your website is subject to GDPR as given in Art. 3 GDPR.

Processors are recipients as defined in Art. 4 Nr. 9 GDPR and therefore Art. 13 section 1 lit. e GDPR obligates you to list them. This is in line with the general principle in GDPR, that your actions as controller shall enable the individual (called ‚data subject‘ in GDPR) to use its rights, e.g. Art. 15 to Art. 22 GDPR.

If your processor is engaging another processor (and so on) you will need to list them also in your transparency information and in your privacy policy as otherwise the individual can‘t fully use its rights.

See also: page 2 bottom left DSK short paper on processing and Art. 28 GDPR (in German)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert