Skip to main content
CCH Software User Documentation

Ensuring third parties are compliant

Product Help Banner.png


Most organisations share personal data with a handful (or maybe dozens) of third parties. If you’ve provided that personal data to a third party, your organisation has some liability as to how the third party uses it. Do you know if that third party is GDPR compliant? Are their data protection practices acceptable? It’s fine to share personal data with third parties, but you must have a written agreement with them stipulating how they can process and what they can do with the data you have given them.

Take care before you share

When creating your data inventory, you recorded the third party processors and controllers that personal data was shared with. Maybe you added your cloud provider, your payroll processors or your CRM. CCH GDPR Compliance gives you a third party processors log and a controller’s data processing log where you can record all receipts by third parties of your data subjects’ personal data.


Against each third party, you can detail exactly what they are doing with the personal data and exactly what personal data from which data subjects you have shared with them. CCH GDPR Compliance will use this information to generate a data processing agreement. You can send it to the processor and then upload the signed copy to CCH GDPR Compliance.

What if the processor is outside the EU?

If a third party processor is outside the EU, the law requires extra-legal protection to be in place. If the country is outside the EU, you will need a legal basis you are using for exporting that personal data outside the EU. CCH GDPR Compliance lets you record this legal basis and provides you with a copy of the model contract the EU suggests organisations use when exporting personal data outside the EU.

Sharing data with controllers

Are you sharing data with another controller? A travel agent passing personal data of its clients to a hotel or an airline is an example of this type of transfer of data between controllers. Each is a separate controller, individually responsible for data protection. Data is still being shared with a third party, but the legal relationship changes since they are now using the personal data you’ve shared with them for their own purposes. These controller-to-controller relationships must be mapped and can be listed in the Data Sharing register.

When different controllers play a role in processing personal data, compliance with data protection rules and responsibilities for possible breaches still need to be clearly allocated. It is also important that a clear notice is given to the data subjects, explaining the various stages and actors of the processing. It should be made clear that every controller is competent to comply with all data subject's rights and which controller is competent for which right.

How sharing with controllers differs from sharing with processors:

  • How personal data is being used by the controller and where legal responsibilities for each party begin and end.
  • Different legal document from a data processing agreement.
  • Model Agreement – in the event data is shared with a controller outside the EU – is different because it contains controller-to-controller clauses.



  • Was this article helpful?