How does the UK GDPR define SAFEcic's role?
When an organisation purchases SAFEcic products or services, some personal data will need to be shared between that organisation and SAFEcic. The UK GDPR defines BOTH the purchaser and SAFEcic as “Joint Data Controllers”.*
Written Contract? Not required with SAFEcic.
This page on the ICO website states that a written contract is needed in some circumstances:
“Whenever a controller uses a processor it needs to have a written contract in place.”
Having read this, some of our clients are asking; “Does my organisation need a written contract with SAFEcic?”
The answer to this question is no, because SAFEcic is always defined as a “Data Controller” rather than a “Data Processor”.
What is the difference between a "Data Controller" and a "Data Processor"?
a) A “Data Controller” has responsibility for how any data is processed and stored (including selecting any software used), how long that data is kept and how the data should be disposed of when that period expires.
b) A “Data Processor” has none of these responsibilities. Therefore a written contract is required to guarantee that the “Data Processor” behaves entirely in accordance with the instructions of the “Data Controller”.***