Tips for logging third party access to your data
Note the following down:
- The name of the 3rd party and whether they are processing data according to the instructions from your management, or whether they are repurposing this data for new purposes.
- What instructions for processing your employer has given the 3rd party? (i.e. what may they do with your data)
- If the third party is processing your data for new purposes, what is the purpose of their processing? Is it compatible with the original transfer of data to them? And what lawful basis do they rely on?
- Have you seen, or been party to, the third party’s DPIA?
- What data is being transferred. Is it necessary to transfer all that data? Is the transfer secure?
This information might be difficult to get from management, but the best place to start is to ask!