Classify 3rd parties on websites as Controllers, Processors etc?

In this blogpost we ask if website owners must classify the 3rd parties on their websites as Controllers, Processors etc?

We will explain how Trackerdetect automatically detects and builds information about 3rd parties on your site to help you identify all 3rd parties on your site so that you can classify them to determine which duties that apply to you and your relation with the detected 3rd parties, as required in GDPR.

In the following it is assumed that

• you have 3rd parties on your site
• the personal data of your website visitors are disclosed to the 3rd parties on your site

Classify 3rd parties

If you are a website owner, you can ask yourself

“Must I classify the 3rd parties on my website to count as “controllers”, “joint controllers”, “processors” or “third parties” in accordance with the GDPR?”

The answer is yes.

Site owners must vis-a-vis 3rd parties on their site to which site visitors' personal data are disclosed, classify the 3rd parties to count as being

• controllers
• joint controllers
• processors
• third parties

This is a rule that is clearly implied in the GDPR.

You may ask yourself

"How can I classify 3rd parties on my site as belonging to any of the above categories?"

The answer is that site owners must classify the 3rd parties on their sites in accordance with the GDPR definitions of those categories and and guidelines issued by Data Protection Authorities.

You may ask yourself

“Why must I classify the 3rd parties on my website?”

The answer is that the classification of a 3rd party (on your site) to count as “controllers”, “joint controllers”, “processors” or “third parties” trigger different duties for site owners, e.g.

• if a 3rd party on your site is classified to count as “processor”, then you have a duty to enter into a data processing agreement, as required in GDPR Article 28
• if a 3rd party on your site is classified to count as “joint controller”, then you have a duty to enter into a joint controller agreement, as required in GDPR Article 26
• etc

You may also ask yourself

“Since 3rd parties on my site may change from being a “processor” to being a “controller”, how often must I classify the 3rd parties on my site?”

The answer is that if a 3rd party on your site is a “processor” that starts to determine the purposes and means of the processing, then that 3rd party is considered a “controller” (GDPR Article 28.10).

In such a case, a data processing agreement is insufficient as legal basis to disclose site visitors' personal data to that 3rd party.

In other words, site owners should continuously ensure and to be able to demonstrate that their classification of 3rd parties on their site holds (GDPR Article 24.1).

How can Trackerdetect help?

With Trackerdetect you can automatically detect all 3rd parties on your site

• at a given time by manual clicks
• at given intervals, e.g. each 6th hour
• from a given location
• and store the information about the 3rd parties in a record with Signatu
• and find out what the detected 3rd parties typically do
• including information about their
  • legal entity
  • contact details
  • etc

Trackerdetect will enable you to identify 3rd parties that are on your site so that you can classify them to determine which duties that apply to you and your relation with the detected 3rd parties, as required in GDPR.

Other blogposts on Trackerdetect

In other blogposts about Trackerdetect on

• Oh heck, do I have a lot of 3rd parties on my website?
• Keep a record of all 3rd parties on websites?
• Inform about all 3rd parties on websites in Privacy Policy?
• Inform about 3rd parties on websites in Access Request response?
• Notify 3rd parties on websites of site visitors' request to exercise rights?
• Classify 3rd parties on websites as Controllers, Processors etc?
• Assess risk of having 3rd parties on websites?
• Internal policies for having 3rd parties on websites?
• Is having unauthorised 3rd parties on a website a personal data breach?
• Must I have a tool to identify and record 3rd parties on my website?

we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to

• help you meet the record keeping requirements in GDPR Article 30.1.
• help you meet the information and transparency requirements in GDPR Article 13.
• help you respond to your website visitor's Access Request in GDPR Article 15.
• equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
• enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
• help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
• help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
• help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
• help you to be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.

Reach out to us

If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.