I don't think it's that important to distinguish between a Controller
and a Processor under GDPR, especially if the situation is genuinely
complicated.
If two organisations are joint Controllers they have to set out their
respective responsibilities transparently. If one is a Controller and
the other a Processor they have to have a contract where the Processor
undertakes to carry out certain functions, and can be directly liable if
it doesn't do so.
Either way the parties involved have to have a clear idea of who is
going to do what, and what will happen if they don't (including
enforcement action against either of them). That can be a contract,
whether they are joint Controllers or Controller and Processor. If I
undertake to develop a software platform and keep it secure, for
example, that is what I have to do, regardless of whether I'm a
Controller or a Processor.
Where three or more parties are involved, the situation could be more
complicated, but the need for a clear agreement is the same.
Obviously I'm not a lawyer, and I'm sure I've missed some nuances, but I
wouldn't be surprised if there are more joint Controller arrangements
and fewer Controller/Processor arrangements under GDPR.
Best wishes,
Paul
Paul Ticher
22 Stoughton Drive North, Leicester LE5 5UB
0116 273 8191
On 10/04/2018 16:21, Phil Bradshaw wrote:
> Company A has designed and commissioned a web based application from Company B which holds special category data.
>
> Company A licences Company C (and many others in properly segregated silos) to use the application for its customers. Company A will have no access at all to the data.
>
> Is it sufficient for Company C to have a 'processing agreement' with Company A with Company B as sub-processor or must C have a direct agreement with B ?
>
> Is there any basis at all for saying A is a data controller for C's data because, in designing the application, it selects which types of personal data are to be collected? I cannot see how, as that would make it a joint data controller for C's data which is nonsense.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|