Get My Free Quote
0800 781 7626

The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.

Your company/organisation is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules, take a look . The main aspects of the arrangement must be communicated to the individuals whose data is being processed.

The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.

The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.

There are situations where an entity can be a data controller, or a data processor, or both.

Examples
Controller and processor

A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery also has sure comfort hvac equipment and tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.

Joint controllers

Your company/organisation offers babysitting services via an online platform. At the same time your company/organisation has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.

  • DATA PROTECTION CODE FOR SUPPLIERS, BROKERS, SUB-CONTRACTORS AND THOSE PROVIDING SERVICES TO D-ENERGi

DATA PROTECTION CODE FOR SUPPLIERS, BROKERS, SUB-CONTRACTORS AND THOSE PROVIDING SERVICES TO D-ENERGi

D-ENERGi takes data protection seriously. The following sections set out our commitment to protecting personal data when working with suppliers, sub-contractors and other Companies providing services, or who may be the recipient of personal data i.e. any information relating to an identifiable living person.

Our full data protection policy can be found at www.d-energi.com/privacy

If you have any questions about this code, or our privacy policy, or how and why we process personal data, please contact:

Data Officer
D-ENERGi Business Complex, Unit D
Madison Place
Manchester
Email: data.protection@d-energi.com
Phone: 0161 237 3333

D-ENERGi may share certain personal information to enable us as a Supplier and others mentioned above to perform work and provide services for our customers.

DATA SHARING

The suppliers and others mentioned above undertake to exercise control over any shared data and will (unless agreed otherwise)

  • Only collect and use the personal data for the purposes that have been agreed
  • Not transfer the personal data to third parties without the consent of D-ENERGi and its client
  • Not transfer the personal data to other countries.
  • Use appropriate measures to protect personal data in compliance with the European General Data Protection Regulation (GDPR) which comes into force on 25 May 2018
  • Promptly notify D-ENERGi of any complaints or access requests in respect of the personal data and assist in resolving them
  • Advise D-ENERGi if there has been a breach of Data Protection measures and/or loss of data

DATA PROCESSING

In addition to the data sharing commitments, the suppliers and others mentioned above will:

  • Ensure the processing is carried out under a work instruction in which the supplier processes the data only as necessary to carry out services for D-ENERGi
  • Take appropriate measures to protect the data from unauthorised or unlawful processing

ACTING ON THE CODE

Adherence to this code should be proportionate to the circumstances. The level of protection depends upon the sensitivity of the data and the likely consequences of its loss or misuse.

  • Suppliers of goods or services to D-ENERGi must register with the Information Commissioner’s Office (ICO) unless they are eligible for exemption under ICO rules.
  • Must comply with any rights of data subjects exercised under Data Protections Laws.
  • Must inform D-ENERGi if their Company has been subject to an investigation or any finding, decision, notice or undertaking by any court or Information Commissioner’s Office regulator.
  • Have organisational and technical measures in place to guard against the unlawful or unauthorised processing of the data and to protect it from accidental loss, damage or destruction. Operate a robust backup and disaster recovery procedure in place.
  • Be prepared to provide details of where the data, including any backups will be hosted.
  • Keep the data only for the time necessary to undertake the services requested or at the request of D-ENERGi or it’s client, remove and permanently delete all personal data (unless retention is required by law)
  • As an energy broker or partner you agree to use appropriate measures to protect personal data in compliance with the European General Data Protection Regulation (GDPR) legislation which came into effect on 25 May 2018 and agree to the data protection code of practice as outlined above.

 

award-iconAwards & Accreditations

 

Investors in People Gold    aaaward  eea
6416 NBA17 Finalist Logo    uk business awards    DENERGI-GBEA17