Trust your provider, but do the work yourself
Posted: Tue Jan 28, 2025 4:28 am
Even if your contractor is too big to fail (or a de facto monopolist in the service market) and promises compliance with all data protection laws, they may still in most cases either hide some information, be in the process of disputes with the regulator over fines, or rely on interpretation of the law. But even if they have certificates of compliance on their website – you should remember that in most cases the contractor is not responsible for your compliance .
In other words, any data protection documents on your contractor’s website only apply to the contractor and can only protect them. You can only rely on them in certain cases. Moreover, even before you start working with them, your own processes and all documents must comply with data protection legislation.
Carefully study what your contractors (clouds, analytics services, data analysis tools, CRMs, etc.) write on their website or ask you to sign, but start from your own policy. Even if a user notices during their visit that their data is now being collected by your partner, don't forget that you may often be responsible for the processing of data in whole or in part (and add it to your privacy policy in advance, for example).
5. If the site promised, the company must deliver.
Draft all references and materials regarding data processing as if they were legal vietnam rcs data documents. Consider whether the site visitor can understand how their data will be used, and whether this understanding meets their expectations and the requirements of the law (yes, this is important).
If a company promises to encrypt data, it should actually do so. If the policy states that data will not be sold or disclosed to third parties, this may mean that the company can only entrust the processing of such data to employees under an employment contract under the condition of non-disclosure. And even the software for such processing was developed by the company. The PE or other contractors should be mentioned (or even explicitly stated) in the privacy policy.
Check that:
contact forms worked, and email for inquiries was checked regularly;
response deadlines were met;
the data was indeed deleted at the user's request, and the consent (for newsletters, for example) was withdrawn (and the newsletter, accordingly, did not arrive after withdrawal);
The DPO (if any) was identified, responded to user requests, and complied with GDPR/LGPD/national law requirements .
Don't promise more than the company actually delivers. In the long run, this can only create additional liability for the company when it is audited by a regulator, auditor, or partner, or even provoke hacktivists or journalists to verify the claims.
In other words, any data protection documents on your contractor’s website only apply to the contractor and can only protect them. You can only rely on them in certain cases. Moreover, even before you start working with them, your own processes and all documents must comply with data protection legislation.
Carefully study what your contractors (clouds, analytics services, data analysis tools, CRMs, etc.) write on their website or ask you to sign, but start from your own policy. Even if a user notices during their visit that their data is now being collected by your partner, don't forget that you may often be responsible for the processing of data in whole or in part (and add it to your privacy policy in advance, for example).
5. If the site promised, the company must deliver.
Draft all references and materials regarding data processing as if they were legal vietnam rcs data documents. Consider whether the site visitor can understand how their data will be used, and whether this understanding meets their expectations and the requirements of the law (yes, this is important).
If a company promises to encrypt data, it should actually do so. If the policy states that data will not be sold or disclosed to third parties, this may mean that the company can only entrust the processing of such data to employees under an employment contract under the condition of non-disclosure. And even the software for such processing was developed by the company. The PE or other contractors should be mentioned (or even explicitly stated) in the privacy policy.
Check that:
contact forms worked, and email for inquiries was checked regularly;
response deadlines were met;
the data was indeed deleted at the user's request, and the consent (for newsletters, for example) was withdrawn (and the newsletter, accordingly, did not arrive after withdrawal);
The DPO (if any) was identified, responded to user requests, and complied with GDPR/LGPD/national law requirements .
Don't promise more than the company actually delivers. In the long run, this can only create additional liability for the company when it is audited by a regulator, auditor, or partner, or even provoke hacktivists or journalists to verify the claims.