3

Let's say you have a general Cloud service to create PDFs from content or even a data storage. Neither services are meant to process PII data (in the sense of GDPR), still - as the content is not controlled by the service - you do not know what's in the data.

Do you need to adhere to the processes of GDPR?

Chris
  • 131
  • 1

1 Answers1

4

Technically, the Data Controller is responsible for making sure all processes are GDPR compliant. That means that whoever uses your service needs to make sure that they are being compliant. If they need you to be compliant, then they need to engage you. You can decline to become compliant if that does not meet your goals.

But, if you knowingly process personal information (like user accounts?) then you need to be compliant (for EU PII).

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Good point with the user data - there you would act as a data controller, wouldn't you. But as it lies right now - our service does only know about client organisations, not about users – Chris Apr 24 '18 at 09:06