How ED&I works (in general)
Principles of Processing Personal Data
- Lawful, fair & transparent
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Lawful Bases for Processing
- Legal obligation – you have a legal obligation to check for sanctions and designated persons, but you also need to comply with the principles of data minimisation. If your ED&I provider can do a simple check against the sanctions list, with updates, then this is a good basis to rely on. Speak with your provider about it as they have their own agreements and bases with their providers. If the checks include a credit check, then this, in my opinion, would breach the data minimisation principle.
- Contract – this is the basis on which you process the information in respect of your client and the ED&I provider may have given you some wording to put into your letter of engagement or terms of business. You obviously don’t have a contractual relationship with third parties.
- Legitimate interest – you could potentially use this ‘fallback’. Again, the data minimisation point rears its head. Moreover, you would open yourself up to difficulties. All data subject rights apply when legitimate interest is used, including the right to erasure. You could find yourself having to delete your sanctions checks leaving you open to being in breach and not being able to demonstrate you carried out reasonable checks.
- Consent – has all of the same difficulties with Subject Rights as Legitimate Interests, in addition to getting valid consent from the third party.
- Vital interests – does not apply in this situation and neither does public interest.
We think the strongest basis for lawfully processing third party sanctions checks is ‘Legal Obligation’, bearing the following in mind:
- Data minimisation. Check you are only processing as necessary to check for sanctions. Have a chat with your ED&I provider or simply use the publicly available sanctions checking tool from the Treasury and take a screen shot.
- Ensure third party sanctions checks is in your data process maps/data flows and in your publicly available Privacy Notice/Data Protection Notice
- Do not forget the ongoing duty to check. If you do not have updates from your ED&I provider, do you need to run checks with the Treasury database on a regular basis?
- Document your decision and why you took it, including to when you will make checks on third parties and what data your will process and your lawful basis.