Third parties repository

When you create a new third party it is added to the third party repository, where it is available for linking to the processing activities of your entity.

Table of contents

Overview

A third party is a person or organization authorized to receive data. They are generally external to your organization.

Adding a third party to the repository allows you to:

  • easily link the third party to processing activities

  • ensure GDPR Article 30 compliance of processing activities linked to third parties that are outside the European Union

  • link documents to the third party

  • store all third party information in one easily accessible place

  • prepare for audits.

You can add third parties to the repository via the processing creation screens. However, it’s simpler and more efficient to build a more or less complete repository first.

To add a third party to the third party repository, you have two options:

  • add individual third parties

  • bulk-import third party repositories.

The Manage third parties permission is required to perform the actions described in this article.

Article 30 compliance

To add a third party to the third party repository, the only field required is the name. However, if a third party located outside the European Union will be linked to a processing activity, in order to be GDPR Article 30-compliant, YOU MUST ENTER THE COUNTRY where the third party is located.

How to add individual third parties to the repository

There are four tabs to be completed when adding an individual third party:

  • Information

  • Content

  • Technical, organizational and legal measures

  • Documents

To add an individual third party to the repository:

  1. In the sidebar, click Repositories Third parties.

 

2. Click the Add third party button.

3. In the New third party dialog box, complete the fields.

 

FIELD

EXPLANATION

Third party (required)

Enter the name of the third party (this is the only field required in order to add a third party).

Internal reference

Reference used by the entity to identify the third party (used by search engine to find linked processing activities).

Address

Enter the third party’s address

Country

If the third party is located outside the European Union, make sure to select a country. Processing activities where data is sent to non-EU third parties require the country information to be Article 30-compliant.

Contractual relationship

Select the item that best represents the business relationship between your entity and the third party. To enter another option, click the Other field, enter the type of relationship, and click the “plus” button.

 

4. Click Save. The third party is added to the repository. It appears in the list on the left. You can click the third party at any time to complete more fields.

 

Once a third party has been added to the repository, there is no Save button. The information entered is saved automatically.

 

5. Click the Information tab to provide fuller information on the third party.

FIELD

EXPLANATION

Legal form

Type of organization, i.e. PLC, LTD, GmbH, SA, etc.

Incorporation code

DUNS, SIRET, HRB, etc.

Activity

Line of business.

Holding address

If the third party is a subsidiary, click the Edit button and enter the address of the holding company.

Comments

Provide any additional comments.

Contact

Details of contact person.

Assign processing

To link the third party to a processing activity:

  1. Click the Assign processing button. A dialog box opens.

2. Select Data Controller or Processor.

3. Click Filter by area if you wish to filter processing activities by area.

4. Click the Assign processing field and select a processing activity from the dropdown menu.

5. Click Attach.

6. Repeat steps 1-5 to link the third party to additional processing activities.

Remember: if a third party is located outside the EU and is linked to a processing activity, the Country field must be completed to achieve Article 30 compliance.

Third parties can also be linked from within a processing activity. See Creating Article 30-compliant processing.

 

6. Click the Content tab and complete the fields.

FIELD

EXPLANATION

Identified sensitive data

Select the sensitive data categories that the third party will be processing.

Identified intermediate data

Select the intermediate data categories that the third party will be processing. To add a category, click the Other field, enter the category, and click the “plus” button.

 

7. Click the Technical, organisational and legal measures tab.

FIELD

EXPLANATION

Has the third party appointed a DPO?

If you leave the default setting “To be verified for any of these 3 questions, you can create an action (in Management > Actions) in order to monitor the progress of the verification.

If the third party is a processor, does this third party provide sufficient technical and organisational guarantees to comply with the GDPR?

Does the agreement with the third party cover data protection as per the GDPR?

What measures have been taken to correct this non-compliance?

If you answered “No to the last question, describe the measures taken.

 

8. Click the Documents tab. Then click the Add document link to:

  • link a document already in the document database to the third party

  • add a new document (in this case it is added to the document database)

  • add an external link.

9. Complete the fields in the right-hand sidebar that have not already been completed.

FIELD

EXPLANATION

Same holding

Does your entity and the third party belong to the same holding company?

Scope of activity

What is the third party’s scope of activity: Business-to-Business, or Business-to-Consumer

Number of employees

How many employees does the third party have

Estimation of the volume of data processed

The volume can be in number of records or files, quantity of megabytes or gigabytes processed, number of data subjects, etc.

 

11. Set the Compliance ratings. These ratings are based entirely on your assessment of the third party. Drag the sliders to the ratings of your choice.

RATING

FACTORS FOR ASSESSING RATING

You can base these ratings on the answers given in the Technical, organisational and legal measures tab.

Services compliance

Example:

  • Does this third party provide sufficient technical and organisational guarantees?

Relationship compliance

Examples:

  • Does the agreement with the third party cover data protection?

  • If yes, is it GDPR-compliant?

Bulk-importing

You can use bulk-importing to create a new third party repository, or to update an existing repository.

How to create a third party repository via bulk importing

This feature allows you to import information for multiple third parties.

Here’s the basic procedure: 1) Download the Excel import template from the GDPR software; 2) Enter your third parties in the template file; 3) Import the file to create your repository.

You can enter complete third party information in the file, or import a partially completed file and complete the remaining information at a later time in the software.

For information on completing all the fields, see How to add individual third parties to the repository above.

 

ARTICLE 30 COMPLIANCE: For third parties that are located outside the EU, check that the address includes at least the Country (see Information tab above). Processing activities in which data is sent to non-EU third parties require the country information in order to be Article 30-compliant.

 

To create a third party repository via bulk importing:

  1. In the sidebar, click Repositories Third parties.

 

2. Click the Import repository button. A window opens.

3. Click the import template link to download the Excel third party import template.

4. Open the template, complete the information for all third parties and save the file.

If you enter multiple items in a column, separate them with a semicolon “;”

5. Click the Select file button and select the file.

6. Click the Check content button. The check results are displayed with the number of successfully imported lines (green) and errors (red). Each error is explained.

For invalid entries, you can click the “information” icon to see the list of accepted entries.

 

The blue “Ignored” icon only concerns re-imports. See How to update a third party repository via bulk importing below.

 

7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.

8. Click the Import button. The file is imported and the import results are displayed.

To add documents to a third party, use the Documents tab (above). To link a third party to processing activities, see Creating Article 30-compliant processing.

 

How to update a third party repository via bulk importing

To update a third party repository that already exists in the GDPR software using bulk-importing, the basic process is 1) Download the existing repository from the GDPR software; 2) Make the changes to the Excel file; 3) Re-import the file.

The repository cannot be updated by modifying an existing third party template and then importing it. You must download the repository from the GDPR software and modify the downloaded file.

 

To update a third party repository via bulk importing:

  1. In the sidebar, click Repositories Third parties.

  2. Click the “More” button and select Download.

 

3. Open the downloaded file, update it with your changes and save the file.

You may notice that downloaded files contain a new column called “Technical identifier”. This is used to match the third party in the repository against any reimported changes. Do not modify this column.

4. Click the Import repository button. A window opens.

5. Click the Select file button and select the updated file.

6. Click the Check content button.

7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.

 

About ignored third parties

Once there are no more errors, a list of “ignored” third parties, i.e. third parties that were not re-imported, may be displayed. There are two possible reasons for this:

  1. The third party was shared by your parent company (this concerns subsidiaries whose parent organization set up an entity tree with a Data Legal Drive administrator). These third parties cannot be modified by your entity, and any updates will be ignored. The list is provided for information only. No action is required.

  2. The technical identifier column of the third party was modified. This column must not be edited.

 

 

8. Click the Import button. The file is imported and the import results are displayed.