Tim

I think the ICO is wrong.

If Party B wrote to you, in their own name, that is, not simply as the "mailing house" for Party A, then party B is a data controller, and not a processor.

If Party B (and not Party A) is broking your participation in other competitions (selling your details on etc), then Party B is a data controller.

Party B is so clearly determining the purposes for which the data is processed.

Party B is outside the jurisdictions - so no recourse there. But Party A does have to justify how it transferred the data to Party B so that the latter can act as a controller. (It is just about conceivable that Party A did all the diligence required etc and they are innocent - but then they should clearly stop using Party B).

To me its not even arguable the other way.

Renzo Marchini
Dechert LLP
+44 (0) 20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]
www.dechert.com

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 24 May 2010 12:16
To: [log in to unmask]
Subject: [data-protection] When is unexpected processing allowable?

I've just had an interesting conversation with an experienced casework officer at the ICO. I respect his views and he respects mine. We each understand the problem below differently and have different views on the lawfulness or otherwise of it. Neither he nor I will change our position on it. We are each pragmatic enough to known that either of us could be found to be correct in a court of law and also that going to law would be pointless.

Here is the scenario:

I entered a quiz on Party A's website. There was no Fair Processing Notice so I expected that my data would be used solely for the quiz, and that no other use would be made of it. Party A has made no other use of it.

Party A has a Data Processor Agreement with Party B, their Data Processor, whose office address is China. I know this because I received an unsolicited email from Party B to tell me that I had taken part in this quiz and to offer me the chance to take part in other quizzes.

I view this as a data transfer having taken place to a third party and (though I have no idea where B's servers are) data transfer having taken place to a third country. I view this as a transfer, NOT because it has gone to a Data Processor (which is wholly valid), but because it has been processed by B as a Data Controller (in addition to their processing it as A's Data Processor).

The ICO disagrees. They are content with the unexpected processing of the data since B asked once and once only of I wished to participate in more of their services.

They consider that any agreement between A and B is sufficient to cover this use of data. However they did confirm that multiple emails from B would have made them form a different view. They agreed that the fact of B's office address in China could be a cause for concern with the volume of s[am emanating form China, but still feel that the unexpected processing by B of my data, given freely to A but not to B is valid.

The ICO and I agreed that, while there is a possible PECR issue top answer, that the Chinese angle makes this impossible to pursue, even (probably) against A.

A, by the way, is part of the UK Law Enforcement organisation.

I'm much interested in your thoughts. The thought of "Oh no, Tim, not again!" need not be said!

Tim Trent - Consultant
Tel: +44 (0)7710 126618
web: ComplianceAndPrivacy.com - where busy executives go to find the news first
personal blog: timtrent.blogspot.com/ - news, views, and opinions
personal website: Tim's Personal Website - more than anyone needs to know

Important: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. This email and any attachment(s) are believed to be virus-free, but it is the responsibility of the recipient to make all the necessary virus checks. This email and any attachments to it are copyright of Meadowood Associates, owners of Compliance And Privacy, unless otherwise stated. Their copying, transmission, reproduction in whole or in part may only be undertaken with the express permission, in writing, of Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell, Berkshire, RG12 0TT.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

Leaving this list: send leave data-protection to [log in to unmask]
Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)

This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

Leaving this list: send leave data-protection to [log in to unmask]
Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)