Renzo,
I wanted to explore one point that you raised in your excellent post.
"But of course you can only be a "data controller" if you have the data in your possession. "
I am not sure I follow the logic of this argument. An organisation may enter into contracts where it never sees the data nor does it ever possess it in any way. I am thinking of a framework contract where an organisation says "I want this service delivered to these people. We will pay you to deliver the service as you see fit as long as you meet our contract criteria." In that scenario, the organisation should be the data controller because they direct the processing of the data and determine the purposes for which it will be used.
If possession were the key criteria for a data controller, then the focus on being able to determine purpose and means by which data is processed would not be as determinative as it is.
Unless, of course, we assume, in my example, that the data is already in the possession of the data controller by virtue of the fact that the people accepting the contract are data processors and the data they hold for the contract are by extension automatically "held" by the data controller.
However, even if we accept that argument we face the secondary issue, based on possession, of a joint data controller arrangement. If the same contract is arranged, but the contract calls them both joint data controllers, but the contract initiator never gains possession of the data, can they be said to be a data controller?
I agree that possession is 9/10ths of the law, but being a data controller would have to rely on more than possession. Unless of course, we are saying that in a joint data controller arrangement the data is automatically considered to be joint owned even if it is not shared, so that it is, again, virtually in the possession of both even though one of the data controllers does all the work with the data.
If that is the meaning, then I can see your point. However, if that is not what you meant, I would be grateful if you would clarify.
Best,
Lawrence
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Marchini, Renzo
Sent: 23 October 2013 09:45
To: [log in to unmask]
Subject: Re: [data-protection] The artist formerly known as data protection
I agree the conference analogy is a good one.
There is one nuance in addition here, though. The data subjects going to the concerts (aka as "fans") are - more likely than not - visiting to see the artist not because they like the venue. (I appreciate that for some specialist venues that may not be the case; the concert goer may not know the artist and might go because s/he has faith that the venue will put something on that they might enjoy or be interesting.)
Let's assume though that the artist is the main attraction. In that circumstance, I think it not unarguable (to put it at its lowest) that the fan will appreciate that details are or may be passed onto the artist's management for the artist's marketing purposes. So absent consent, I think there might be a good argument that there is still a legitimate ground for sharing the data (para 6 of sched 2).
But of course you can only be a "data controller" if you have the data in your possession. The contract between venue and artist (if drafted in favour of the artist) would or could provide an obligation on the venue to pass over the data. Without it, the artist simply won't have the data. And of course the contract could - for good practice - also contain notices making clear that the data would be shared.
Renzo Marchini
Counsel
Dechert LLP
+44 (0) 20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]
www.dechert.com
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: 23 October 2013 09:17
To: [log in to unmask]
Subject: Re: [data-protection] The artist formerly known as data protection
It's an easy one to solve when you have thought about it. I would say that in the instance you describe the artist has no rights to the personal information at all. However, part of our business is conference management.
As delegates register and pay we always ask the question to the effect that we would like to pass their email address on to conference sponsors and/or conference speakers and/or conference stall holders. That way the individuals could opt out of having their details passed around. Same thing could be done when selling tickets? I mean they get you tick a box to agree that you are ecstatic about being charged an extra five quid on top of the price as a "booking fee", and you can't opt out of that or you don't get the ticket. Imagine what it would be like being given a real option!
Simon Howarth.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
Sent: 22 October 2013 12:45
To: [log in to unmask]
Subject: [data-protection] The artist formerly known as data protection
Dear All,
Interesting scenario has arisen. Artist books a venue. Venue handles all the details, including payments and booking system for clients most of whom are regulars to the venue. The venue markets the event and publicises it.
Artist performs. Artist then asks for personal data of all the people who booked so that they can create a mailing list to develop their fan base.
Question: Who is the data controller? Is the Artist a joint data controller with the venue? If so, can they insist that the venue provide all the contact details of the people who attended so that they can market to them?
My view is that the artist is not a data controller nor a joint data controller because they have no say in how the personal data is to be collected or the manner in which it is to be processed. However, I would be interested to know if anyone else has dealt with this situation.
http://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/lib
rary/Data_Protection/Detailed_specialist_guides/data_controllers_and_data_pr
ocessors.ashx
I could see a money making possibility as artists propose contracts that have a key data protection clause that, as part of the contract to perform, that they obtain the audience contact details as collected by the booking company. I could see booking companies offering this as a service for a fee, with the usual caveats of privacy notices and DPA principles being met.
I would be interested in your views on this scenario.
Thanks
Lawrence
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|