In GDPR parlance, organizations that use third-party service providers are often, but not always,
considered data controllers, which are entities that determine the purposes and means of the
processing of personal data, which can include directing third parties to process personal data on
their behalf. The third parties that process data for data controllers are known as data processors.
The best way to protect personal data in the custody of a third party is to include requirements to
comply with the organization’s privacy policies in the contract. This means that the organization
should specify the terms and conditions of data processing, such as the purpose, scope, duration,
and security measures, and ensure that they are consistent with the organization’s privacy policies
and applicable privacy regulations. The contract should also define the roles and responsibilities of
both parties, such as data controller and data processor, and establish mechanisms for monitoring,
reporting, auditing, and resolving any issues or incidents related to data privacy. Reference: : CDPSE
Review Manual (Digital Version), page 41
