A = Controller
B = Processor
C = Subject
B inadvertently does something with C's data which is outside of A's instructions and amounts to a reportable (to ICO) breach due to detriment. B's actions were however part of the workflow for A, they just got it wrong in C's case.
Options:
1 A reports as the controller of the source data
2 B reports as the de facto controller for the processing activity as it fell outside of A's instructions
3 A & B both report
4 B says to A, this is reportable and we think you should do it, but if you won't we will
5 A says to B, this is reportable and we think you should do it, but if you won't we will
2 Logic and Art 33 suggests 2 to me as B was acting as controller for the specific processing which resulted in a risk to the rights and freedoms of C. Contractually however (standrad Crown Procurement terms) B's responsibility is simply to report the event to A and provide A with such assistance as A requires, which might suggest A decides who reports.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
An archive of messages is stored permanently at http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send an email to [log in to unmask] with no subject
and leave data-protection as the message body. This is an automated service.
Additional subscriber help is available at https://www.jiscmail.ac.uk/help/subscribers.html
Any other list queries can be emailed to [log in to unmask]
For general JISCMail queries please email [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|