Regulatory Background
Data Privacy regulations around the world require organizations to notify third-party vendors that process data on their behalf when a subject rights request has been received from an individual whose data may have been shared for sub-processing.
Likewise, vendors processing data on behalf of third-party organizations are required to notify these organizations when they receive a subject rights request from an individual whose data originated with that organization.
In both cases, organizations and vendors receiving these notifications are obligated to act on them as if they were subject rights requests received directly from the requesting individual.
How To Set Up Third-Party Notifications
Osano is capable of automating third-party notifications to downstream vendors or upstream organizations through the following steps:
1. Open a data store that sends data to a third-party vendor or receives data from a third-party organization:
2. Click on the Vendor Relationships tab within the data store:
3. Click the plus icon at the bottom right of the vendor relationships table to open the add vendor relationship modal:
4. Add a Vendor Name by searching for a vendor in Osano's vendor database, specify whether that vendor receives data from this data store or sends data to it, enter an email address to send third-party notifications to, and then click to 'Save':
How Third-Party Notifications Work
Once a vendor relationship has been established at a data store any action items generated for that data store when a subject rights request has been id verified will automatically kick off a vendor notification to the vendor contact email specified.
If the same email is specified as the vendor contact on multiple data stores, duplicate notifications will not be sent. Instead, a single notification will be sent to each vendor contact.
Whether and where these notifications have been sent for a received subject rights request that requires a third-party notification will display on the action item card of any data store with an established vendor relationship:
What Do Third-Party Notifications Look Like?
There are two slightly different templates used for third-party notifications. Which template is used when notifying a third-party depends on the vendor relationship specified on the data store i.e. whether the vendor receives data from the data store or whether the vendor sends data to the data store.
Here is the template used when a vendor sends data to a data store. Variables pulled from the request/data store that triggered the notification are highlighted in bold:
[Vendor-Name],
We have received a [request-type] request from [requestermail] and are notifying you of this request as a party that 'receives personal information from you'/'sends personal information to you'. We are processing the [request type] request and will notify [requesteremail] when we are finished. We ask that you process this request and notify [requesteremail] when you are finished.
This is the information we received as part of the original request:
Requester Email: [Requester-Email]
Request Type: [Request-Type]
Requester Type: [Requester-Type] if present, otherwise ‘Not provided’
First Name: [First-Name-Value] if present, otherwise ‘Not provided’
Last Name: [Last-Name-Value] if present, otherwise ‘Not provided’
Country of Residence: [Country-of-Residence-Value] if present, otherwise ‘Not provided’
State/Province/Territory: [State/Province/Territory-Value] if present, otherwise ‘Not provided’
Thank you,
[Company Name]