Supplier voice data compliance

Subcontracting in the voice industry – who’s taking the risk?

Under GDPR, an entity or person is considered a subcontractor if  processing personal data on behalf of, on the instruction of, and under the authority of a data controller (entity or individual who determines the means and purpose of processing). 

GDPR is based on a logic of responsibility and accountability of all entities and individuals processing European personal data. GDPR considers every stakeholder in the production chain co-responsible for the compliance of a project, subcontractors included. 

Subcontractors are also held accountable for the compliance of samples they use and exchange. Administrative penalties can reach up to €10M or €20M, or up to 2% or 4M of global revenues. A few examples of when such sanctions could apply : 

  • Acting outside the lawful instructions of the client      
  • Not respecting data subject rights outlined by the GDPR
  • Not providing access to personal data being held
  • Not providing data subjects the necessary information to exercise their GDPR data protection rights
  • Not informing a client a direct instruction would be a violation of European regulations
  • Subcontracting without explicit authorisation by a client

From the final client to localised voice production provides, all project stakeholders must be able to ensure GDPR compliance of everyone involved in a voice production project.  

For example, a company working with an external studio or voice director who provides castings, voice samples, actor names, phone numbers, etc.,  must be guaranteed the supplier has obtained all necessary permissions and processed all actor data in compliance with GDPR before they accept data from the supplier. 

To learn more about GDPR obligations and data subject (actor) rights, please read the subcontracting guide of the CNIL (In French), or visit the CNIL’s website.

Disclaimer: All data and information provided in this blog post are for informational purposes only. Mediartis makes no representation as to the accuracy, completeness, timeliness or validity of the information contained in this document. We recommend that you consult a DPO or privacy lawyer for legal advice regarding data protection legislation obligations.


Share this article