GDPR – Passing the Buck

It has just come to my attention that some are concocting ways of bypassing responsibility to their clients by agreeing with a “co-processor/controller” that they will be responsible for subject requests, etc.

First, the ICO is not going to fall for such an usurpation of the law and the data controller’s responsibility. If you are a data controller and you violate that data subject’s rights under the GDPR then you can bet your bottom dollar the ICO, if not a lawyer, will be coming for you.

Second, the GDPR, in Article 26, section 3 says this:

“3) Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

 I think this is a very concise, legal way of saying what I just said. I’ve seen this in action under the DPA 1998 where the offender didn’t buckle until the court date was set and they asked for an opinion. Settlement came very quickly afterward.