Read our detailed guidance to help you comply with the Law when you are using third parties to do certain tasks with people’s data.
Whether you are a small company or a large global organisation, you may decide to engage another party to help you or carry out some tasks on your behalf.
These third parties (known as 'processors') can be pivotal to ensuring that you operate as effectively and efficiently as possible. However, where you do engage other parties to carry out work on your behalf, you need to understand the steps that must be taken to ensure compliance with the Law
Examples of these types of relationships could include:
- Outsourcing the administration of payroll and HR functions
- Outsourcing day-to-day IT functions to a specialist provider
- Outsourcing the business development and marketing operations
- Outsourcing work to a group entity
Where you appoint a processor to carry out work on your behalf, the Law requires you (as the controller) to ensure that:
- sufficient guarantees that reasonable technical and organisational measures will be established and carried out by the processor are obtained to ensure that the processing meets the requirements of the Law and will safeguard data subject rights.
- a legally binding contract, in compliance with the Law, is put in place between you and the processor.
Please refer to our suite of processor guidance resources below, to help you understand and comply with the legal requirements.
Processor Guidance Resources
Controller, Joint Controller, Processor or Secondary Processor?
This guidance is for anyone who wants to understand the different roles played when you are working with others on an activity that involves information about people (personal data).
Processor assessments
This guidance is for anyone who wants to know more about how to assess a processor’s suitability.
Contracts between controllers and processors
This guidance is for anyone who wants to understand the Law’s requirements for contracts between parties who are working together on activities that involve personal data.
Cloud-based services
This general guidance is for anyone who wants to use cloud-based services for an activity involving personal data.
Overview: appointment of processors
Here's a simple visual overview of the steps you need to take when appointing a processor.
Appointing a processor operating exclusively in the Bailiwick of Guernsey
This case study walks you through the basic steps you would need to take to appoint a processor based in the Bailiwick of Guernsey in compliance with the Law.