Controller vs processor (and subprocessors)

The GDPR separates the responsible parties to data protection into two categories.

Controllers - the party that determines for what purposes and how personal data is processed

Processors - the party that processes personal data on behalf of controllers

Under the GDPR, in most cases, the ShopWired user will collect the information from their website visitors and buyers as a controller.

ShopWired acts as the processor for the ShopWired user with respect to this data.

Where the ShopWired user acts as the processor, ShopWired will act as a sub-processor.


Obligations of a data processor

Generally speaking, compliance with the GDPR means that the processor can only process personal data where it has been authorised to process that data by the controller. Our authorisation to process personal data is covered by the Data Processor Agreement.

Other obligations are also imposed by the GDPR on processors:

A processor must notify and obtain consent from the data controller when it transmits personal data to a sub-processor. As discussed here, ShopWired uses sub-processors to provide the ShopWired platform and service:

• Storing platform data
• Providing help and support to ShopWired users

The sub-processors used by ShopWired may vary, from time to time. A full list of data sub-processors is available on request. Any sub-processor used by ShopWired will be fully vetted and compliance with the GDPR will be ensured.

Any time a change is made to the way that data is processed, a Data Protection Impact Assessment must be conducted if that change is likely to result in a higher risk to individual's privacy rights.

Processors must notify to controllers any breach in processor security.

Processors must appoint a Data Protection Officer.


Obligations of a data controller

The GDPR obligates data controllers to help data subjects exercise their rights under the regulations such as access to that data or rectification of incorrect data.

Data controllers are also obligated to provided certain minimum information about the intended processing of the personal data that is being collected. This should be provided in an easily understandable, plain speaking document (usually in the form of a privacy policy or terms and conditions contract).

Controllers are also responsible for ensuring that they obtain appropriate consent, where necessary, for the use of cookies. If you are using tracking cookies on your website, the requirements of the GDPR are that some form of consent should be obtained.

Controllers must ensure that their email marketing practices also comply with applicable requirements of the GDPR in relation to e-marketing and anti-spam.

Where data is processed in relation to individuals under the age of 16 years (younger in some EU member states), parental consent must be obtained prior to processing.

Some data subjects may be entitled to a higher level of consent.