02 April 2018
In a business to business transaction, Company A obtains the contact details of a representative of Company B, and places those details (such as name, e-mail, telephone) in to its CRM. This information is only to be used to connect to the other company.
However, Company A takes the decision as to when to contact and when it will delete the contact details. Because Company A decides on the lawful basis of processing, retention period, etc, it becomes the controller.
In this instance, Article 14 GDPR applies and it obliges the controller to inform the data subject, and a link to the privacy notice on the website of Company A may help.
Where there is a formal business contract in place between Company A and Company B, it should have defined roles and responsibilities of each party. Based on the contractual terms a preliminary determination of who might be the controller (or joint controllers) and who might be the processor (or joint processors) could be made, on the basis of which specific data controller- data processor clauses to the contract could be drafted.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
