1 / 15

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri. Definition in Art.2(d) - autonomous concept intended to allocate responsibilities ( WP29 – Opinion 1/2010 )

china
Download Presentation

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri

  2. Definition in Art.2(d) - autonomous concept intended to allocate responsibilities (WP29 – Opinion 1/2010) It is the institution/agency which shall be considered as ultimately responsible for data processing and obligations A person may be designated, but will act on behalf of the institution/agency CONCEPT OF CONTROLLER

  3. as interface/contact person for the data subjects’ rights to ensure data quality (according to Art.4(2)), full compliance with data protection principles, Transparency But ultimate responsibility lies with the institution/agency! A specific identity is important:

  4. Definition in Art.2(e) - Its existence and lawfulness is determined by the mandate given by the controller (WP29 – Opinion 1/2010) 2 conditions for being a processor: External separate entity Processing data on behalf of the controller CONCEPT OF PROCESSOR

  5. Services & units – JRC 2008-0141 HR Department & confidential counsellors – FRA 2010-722 = CO-RESPONSIBILITY Draft implementing rules – ERCEA 2010-341 Legally, controllership remains at the institution/agency A system of controller-processor within an agency is not possible Examples

  6. the Commission's medical service acts as processor to an agency and the processing is governed by a SLA (JOH-18 agencies 2010-0171), an external medical centre carries out some or most of the medical exams on behalf of an agency and the medical advisor processes medical data at the agency's premises on behalf of an agency an insurance company reimburses data subjects in case of accident/occupational disease by processing medical data on behalf of the EP (2006-0303) and Council (2004-0257) EXAMPLES OF EXTERNAL OUTSOURCING

  7. A/ Large scale IT systems CPCS: competent authorities in M.S, Single Liaison Offices (specific public authorities in M.S), Commission (2009-0019) EDPS: Each competent authority, as a user, acts as a controller under national DP law and is responsible i.e for the relevance and accuracy of the info uploaded Each SLO, as a coordinator, acts as a controller to their own activities, The Commission operates the system, ensures the security of the data exchanged, has exclusive role in carrying out deletion of cases … JOINT CONTROL

  8. EWRS: Commission, ECDC, M.S contact points, Steria (2009-0137) EDPS: Commission (operation role) & ECDC (risk assessment role) are co-controllers of the system COMM has a read and write access + responsible for accuracy/proportionality, acts as a separate controller ECDC has only a read access + evaluates if it is entitled to make transfers to 3rd parties, acts as a separate controller M.S are responsible for their own processing operations when using EWRS and act as separate controllers Steria is a subcontractor of ECDC hosting EWRS

  9. B) Research Projects PROTECT: EMA, member of a consortium, Steering Committee, Outcome (2010-0818) Is EMA a joint controller? EDPS: notion of controller should be considered with regard to the consortium as a whole: Members of the consortium remain responsible for the decision making despite delegation to S.C The S.C acts without specific autonomy and it only takes decision on behalf of the consortium, whose members co-decide

  10. EMA should be considered as one of the controller(s), which determines the purposes and means of the processing, as a member of the consortium Outcome acts as a processor + a principal controller, since it is also a member of consortium and it is actually processing personal data Different levels of responsibilities, jointly or solely should be distinguished in a written agreement

  11. The contract or legal act should include that: the processor shall act only on instructions from the controller (Article 23(2)(a)); the obligations with regard to confidentiality (Art.21) and security measures (Art.22) should be incumbent on the processor (Article 23(2)(b)) unless the processor is subject to a national lawof one of the M.S, thenby virtue of Article 17 (3), second indent, of Directive 95/46/EC, those obligations are incumbent on the processor (Article 23(2)(b)). Article 23 REQUIREMENTS

  12. “Any personal data included in or relating to the Contract, including its execution shall be processed pursuant to Regulation 45/2001…It shall be processed solely for the purposes of the performance, management…The Contractor shall have the right of access to his personal data and the right to rectify any such data that is inaccurate or incomplete. Should the Contractor have any queries concerning the processing of his personal data, he shall address them to the institution/agency. The Contractor shall have the right of recourse at any time to the EDPS”. ARTICLE I.X-DATA PROTECTION

  13. Mere reference to the contractor’s personal data and right of access to them is not sufficient Data subjects should also be included since part/all of their data are processed by the processor within the execution of the contract Where there is reference to “the Contractor”, institutions/agencies should add the phrase “and the data subjects whose data are processed by the Contractor”

  14. The determination of purposes, means, joint/single control stem from legal and factual circumstances Need for clear and unambiguous designation of controllers/processors in a written agreement Need for clear and specific allocation of responsibilities The controller(s) remains responsible on substance: (Lawfulness, quality, retention, transfer, notice, rights, security ….) The controller may allow the processor to choose the most suitable technical and organisational means CONCLUSIONS

  15. Any questions?

More Related