Back to top
State of Cookies September 2021 Small Data Requests
Are you making international data transfers?
Data Protection Pitfalls Updating Website
Impact of Cookie Guidance on Web Developers
Introducing the Cookie Check Tool
Cookies: your digital first impression
Data Protection from the Outside
Living with COVID Tracker Ireland
Forty Years of Privacy
Data Protection Programme

Relationships

Data Protection Programme
Relationships

Photo by fauxels from Pexels

As part of the preparation to deliver a service you need to understand all the relationships involved and the part each plays in the service.

Human Resources Services Structure

The diagram below illustrates how a company might be managing its HR data. They have engaged a Cloud HR Provider to maintain the principle records for the HR Department and a Payment Processor who is responsible for making salary and expense payments to the employees. The Cloud HR Provider has contracts with a Cloud Infrastructure provider for the hardware on which they operate their platform and with a Backup Storage company to store their backups.

relationship diagram

The Payment Processor and Cloud HR Provider are processors, and the Cloud Infrastructure and Backup Storage are sub-processors engaged by the Cloud HR Provider.

The Company is the controller and has the overall responsibility for the data processing service. They have collected personal data from their employees and are using it to process salary payments and storing it using a cloud-based HR system. Should an employee wish to exercise their rights under GDPR for this data, they will contact the company.

The Payment Processor’s role is limited to processing payments, and they have access only to the data required to complete that task, e.g. payment amounts and the related bank account details.

The Cloud HR Provider stores the HR Record and therefore will have access to more data, including, e.g., annual reviews, benefits details, and points of contact. They provide the company access to view and change this data through a web-based application.

The Cloud HR Provider has engaged sub-processors to help in discharging its contract. The cloud infrastructure provider provides the infrastructure on which their application is running. The backup storage service provides separate storage for backups. Both sub-processors are under the control of the Cloud HR Provider.

The Company needs to establish a contract with each of its processors. The Cloud HR Provider needs agreements with each of the sub-processors that are aligned with the data protection requirements in its agreement with the Company. The Company needs to approve the appointment or re-appointment of the sub-processors.