External Consultant access to member data

[David Ramsey]

Hello,

Quick GDPR related question! I'm part of an international NGO secretariat where we have members from around the world. We have recruited an external consultant to help with incoming media requests. As part of her job, she needs to reach out to members (and sometimes non-members) regarding media requests and opportunities.


Since they are on a consultant contract and representing us, are they classed as internal or would this be a third party?

Any advice is appreciated!

 

[Mike Kilby PC.dp]

Hi David,

If the consultant is working for you, on systems your organisation controls (or contracts), and appears to the data subjects to be part of your organisation (not from a separate organisation), then I would say they are a "contractor" and would be considered as internal.
Your contract with them should outline Data Protection clauses similar to those you include in an Employment Contract with employees.


If however they are being sent data, or are seen as an independent organisation acting on behalf of your organisation, I would consider that to be a third-party Controller/Processor relationship and subject to the usual Data Processor Agreements.


Having international members, I presume you've thought about the future impact of Brexit and the continued processing of data held about international data subjects?