The GDPR seventh principle states that "personal data held or used by a third party on your behalf (under the Data Protection Act you are responsible for ensuring that any data processor you employ also has appropriate security)."

This means that it is your responsibility to ensure that the third party (including your web agency), acting on your behalf, has the appropriate security in place to prevent data breaches, or other data mismanagements.

We would advise, assuming that as the data processer (your business), that you would be responsible for any fines, not your third-party supplier.

Did this answer your question?