Hacker News new | past | comments | ask | show | jobs | submit login

It is so clear cut that the situation I described is illegal.

Sub-processors are not allowed to sign data processing agreements.

So not that clear it would seem ...




That’s because you’re trying to do something fundamentally unsafe. A data controller is responsible for all the data they control and how it’s processed, as a result it needs to control and vet the entire data processing chain, regardless of how many processors or sub-processors there are.

If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law. If you want to run a data processor that relies of byzantine structures in an attempt to create plausible deniability, then you’re gonna have a bad time.

Ultimately this is just a problem of dependency resolution, and conflicting dependency requirements, but it’s an unavoidable problem if you want to have truly accountable data controllers. Accountability is far more important than operational convenience. Remember GDPR exists to protect EU citizens, not businesses. It explicitly makes life hard for business, to ensure protection for citizens. Don’t like it, then leave, go exploit some other population.


> If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law

And that's why it is.

Because it didn't take into account how companies work in practice.

A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.

Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.


> And that's why it is.

What on earth are you talking about? I’m making fundamental statement about accountability, you can’t allow companies to outsource their data protections responsibilities, because history has shown time and time again, if let companies outsource responsibilities, they’ll outsource it to someone who just ignores the law and provides a fig to protect execs.

> Because it didn't take into account how companies work in practice.

The whole point of GDPR is to prevent shitty business practices, not enable them. How companies work in practice is most irrelevant, GDPR protects people, not companies.

> A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.

Yes, so what?

> Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.

Yes you can. If your customer has given you explicit instructions on how they want their data processed, in the form of a data processing agreement, then you’re contractually bound to that agreement. You want to change it, the you need to ask all your customers. You can’t unilaterally just start doing something new with data you’ve been given because you feel like it. Otherwise what prevents you from just deciding that selling all the data your customers gave you is how you now handle their data?

I don’t know you find this so difficult to understand. Your not even taking issue with something unique to GDPR. Modern day slavery laws work in a similar manner, so does financial regulation, so does any contract where you customer gives you instructions, and you want to modify those instructions. Companies update their T&Cs and force customers to explicitly accept the new one all the time, this is not a new concept.



Name me one SaaS company that complied fully with GDPR, including the points we mentioned above?


Are you kidding? I’ve dealt with half a dozen, like FrontApp, Looker (before it was bought), Stripe etc

This was while working at a bank, where the level of scrutiny from financial regulators, privacy regulators, and customers with a bone-to-pick with us was sky high. It’s was a total pain in arse dealing with data protection agreements, and vetting them (both the agreement, and company) to make sure they met the standards. But you can bet your bottom dollar we did it.


You mention Stripe, but Stripe doesn't make companies sign data processing agreements for third party services they use so that's a no already.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: