The Ealing Hounslow incident was indeed on the basis of controller - processor not joint controllers.
Hounslow were clobbered as they did not have a written contract with the processor (Ealing) as required by Sched 1 Part II DPA 1998 and failed to exercise due diligence on the arrangements.
Ealing were hit as controller as the lost unencrypted laptops were also used for their own business - they could not be penalised as a processor under 1998 Act for the Hounslow aspect.
Still a useful case under GDPR to warn a controller engaging a processor of the consequences of not having an Art 28(3) compliant contract, and exercising due diligence (Art28(1) and related provisions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|