Third party data suppliers for websites

[Simon2018]

This is a hypothetical question really, but with basis in real world application.

Lets say there's website (lets call it Houses.com) which stores details about houses for sale and the person who's selling them. This website has property solicitors as its' clients, who log in and add their list of properties to the site. The property solicitors then use the API from Houses.com on their own websites to display the details of the properties and the person who's selling them, but the actual Houses.com website doesn't display any of this information - it purely acts as a data service for the solicitor websites. Where does liability sit here?

Technically the solicitor sites are only displaying raw data from a third party, though they are responsible for maintaining the data (albeit on someone elses website). Houses.com however are a just a hub, not displaying or directly using the data - however they do host the data and while they provide a mechanism to update the data (to the solicitors) - the end house sellers will never go to their website or update anything.

How will this work in terms of who has to do what, with GDPR?

 

[Keith Budden]

In this instance, the data sits with Houses.com, so they are the data controller. Now, as the solicitors are accessing the data but also adding to the data, they too are a data controller. So in the event of a data breach, both Houses.com and the solicitor would be jointly and severally liable both for any ICO penalties and any claim for direct or indirect damages from the person owning the property.

 

[Keith Budden]

Just to add to that, there should be a clear GDPR compliant contract between the two parties and a watertight procedure put in place to ensure that should there be a data subject access request, a data subject data correction request, a request to be forgotten or a data breach that the party first becoming aware would immediately notify the other party.