Thanks for the responses.
I tend to side with Andrew and Ben. Unusually, not convinced by Jon / Joelle's take.
I think these two may well be different:
1. If it is a breach in the context of planned activity - original controller needs to report. Contract will usually say (e.g. gov procurement standard terms) that processor duty is to report to controller and assist controller with reporting. Asking processor to report makes no sense.
2. If processor has gone off and done something wholly unrelated with the data e.g. an employee did not realise it was not the processors data, I can see a strong argument that the 'processor' must report because the original controller cannot be the controller for that activity - did not determine purpose or means in any way.
The problem with saying, in scenario 1, that processor has become a controller by virtue of any deparyure from instructions is that B has not really determined purpose and means - they have just made an error - typically staff oversight. It also makes parts of Art 28 otiose. There would e.g. be no need to assist the "controller" with Art 33 rights as you would be the controller. The standard contract clause is redundant.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
An archive of messages is stored permanently at http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send an email to [log in to unmask] with no subject
and leave data-protection as the message body. This is an automated service.
Additional subscriber help is available at https://www.jiscmail.ac.uk/help/subscribers.html
Any other list queries can be emailed to [log in to unmask]
For general JISCMail queries please email [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|