top of page

Controller vs Processor (and Subprocessors)

Smart Connect GDPR Compliance Overview

  1. Introduction This document provides an overview of how Self Gen Connect Ltd, trading as Smart Connect ("SGC"), complies with the General Data Protection Regulation (GDPR) in relation to the Smart Connect Consent Tool. It outlines the responsibilities of SGC as both a data controller and a data processor, as well as the obligations of SGC users who act as data controllers and the roles of End Users.

  2. Roles Defined Under GDPR The GDPR separates the responsible parties for data protection into three main categories in the context of the Smart Connect Consent Tool:

  • End Users: Individuals (typically consumers) who provide their personal data and grant consent for its processing. They are the data subjects whose privacy and rights are protected under GDPR.

  • Controllers (SGC & SGC Users): SGC acts as a data controller for its own business marketing purposes and when using the Smart Connect Tool with its own consumers. In addition, SGC users, such as approved installers, also act as data controllers when collecting data from their customers and website visitors.

  • Processors (SGC): SGC acts as a data processor for SGC users, processing data on behalf of the controllers. SGC also uses third-party sub-processors to deliver specific services, such as data storage and support.

  1. Obligations of a Data Processor (SGC) SGC, acting as a data processor, is obligated under GDPR to comply with the following requirements:

  • Processing Authorisation: SGC can only process personal data where authorised by the data controller. This authorisation is covered by the Data Processor Agreement.

  • Sub-Processor Notification & Consent: SGC must notify and obtain consent from the data controller when transmitting personal data to a sub-processor.

  • Use of Sub-Processors: SGC uses sub-processors to provide the platform and services, including storing platform data and providing help and support to users. The sub-processors used by SGC may vary, and a full list of data sub-processors is available upon request. Any sub-processor used by SGC will be fully vetted, and GDPR compliance will be ensured.

  • Data Protection Impact Assessment (DPIA): Whenever a change is made to the way that data is processed, SGC will conduct a Data Protection Impact Assessment if that change is likely to result in a higher risk to individuals' privacy rights.

  • Security Breach Notification: SGC will notify data controllers of any breach in processor security that could impact personal data.

  • Data Protection Officer (DPO): SGC has appointed a Data Protection Officer to ensure compliance with GDPR obligations.

  1. Obligations of a Data Controller (SGC & SGC Users) SGC, acting as a data controller for its own purposes, and SGC users who act as data controllers, have the following obligations under GDPR:

  • Help Data Subjects Exercise Their Rights: Controllers must assist data subjects in exercising their rights, including access to data, rectification of incorrect data, and erasure of data (the right to be forgotten).

  • Provide Information on Data Processing: Controllers must provide certain minimum information about the intended processing of personal data. This information should be presented in an easily understandable format, often through a privacy policy or terms and conditions document.

  • Obtain Consent for Cookies: Controllers must obtain appropriate consent for the use of cookies on their websites, especially for tracking cookies. This consent must comply with GDPR standards.

  • Comply with Email Marketing Regulations: Controllers must ensure that email marketing practices comply with GDPR, including obtaining consent for e-marketing and complying with anti-spam regulations.

  • Obtain Parental Consent for Minors: Where personal data is processed in relation to individuals under the age of 16 years (younger in some jurisdictions), parental consent must be obtained before processing.

  1. Obligations of End Users

  • Providing Accurate Information: End Users must provide accurate personal data, such as name, address, and contact details, during the consent process.

  • Consent Management: End Users have the right to provide, withdraw, or modify their consent at any time. This includes opting out of data processing activities that they no longer wish to participate in.

  • Exercising Rights: End Users have the right to access their data, request corrections, request deletion, and object to data processing as per GDPR requirements. These rights can be exercised through the Smart Connect platform.

  1. GDPR Compliance Measures To comply with GDPR, SGC and its users take the following measures:

  • Data Security: SGC ensures that all personal data processed is protected through encryption, secure storage, and regular security assessments.

  • Auditing and Record-Keeping: SGC maintains records of processing activities, including details of sub-processors, to ensure transparency and accountability.

  • Training and Awareness: All personnel involved in data processing receive GDPR training to ensure they understand their responsibilities in protecting personal data.

  • Data Subject Rights: SGC users are required to provide data subjects with mechanisms to exercise their rights, such as data access requests or requests for data deletion.

  1. Contact Information For more information on GDPR compliance or to request a list of sub-processors used by SGC, please contact our Data Protection Officer at gdpr@selfgenconnectltd.co.uk.

This GDPR Compliance Overview outlines how Smart Connect complies with data protection regulations and ensures that SGC, its users, and End Users meet their obligations under GDPR. By using the Smart Connect Consent Tool, all parties agree to adhere to these data protection standards, ensuring the privacy and security of personal data.

bottom of page