Off the top of my head and without all the facts, I suspect that the processor thing is likely to be the issue.
A processor processes "on behalf of..." and I don't think that fits here.
Question - When does Pseudonymised become anonymised? If I Pseudo personal data and keep the key, then it's identifiable. If I pass the pseudo without keys to another organisation and it's contracted that they will never receive the key - is it still classed as identifiable? Not sure.
However, my view is that this would be a joint controller relationship, and that none of the organisations would be data processors...
Simon Howarth.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 27 June 2018 10:18
To: [log in to unmask]
Subject: [data-protection] Wednesday question
Controller / processor issue again ....
Company A is conducting research. Companies B C D .... hold personal data. Companies B C D ... agree to pseudonymise the data they hold and submit the pseudonymised data to Company A.
Assume there is no problem with a legal basis - all subjects freely give fully compliant and informed consent.
Company A requires B C D ... to sign a data processing agreement acknowledging that in carrying out the pseudonymisation A is controller since it is determining purpose and method and B C D are just processors. Does that make ANY sense?
In the draft on my desk it leads to some bizarre consequences which A has clearly not thought through. For example one clause requires that B C D ... limit access to the personal data to those carrying out the pseudonymisation which would mean that the data was unavailable to other staff for B C D...'s pre-existing purposes! Is it just that clause (and similar) which are wrong or, as I believe, regarding B C D ... as processors when they are working on their own data is a fallacy.
PS Drafted by smart US lawyers ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|