Renzo
Marchini
Dechert LLP
+44 (0)
20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]
www.dechert.com
I've just had an interesting conversation with an experienced casework officer at the ICO. I respect his views and he respects mine. We each understand the problem below differently and have different views on the lawfulness or otherwise of it. Neither he nor I will change our position on it. We are each pragmatic enough to known that either of us could be found to be correct in a court of law and also that going to law would be pointless.
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 24 May 2010 12:16
To: [log in to unmask]
Subject: [data-protection] When is unexpected processing allowable?Here is the scenario:I entered a quiz on Party A's website. There was no Fair Processing Notice so I expected that my data would be used solely for the quiz, and that no other use would be made of it. Party A has made no other use of it.Party A has a Data Processor Agreement with Party B, their Data Processor, whose office address is China. I know this because I received an unsolicited email from Party B to tell me that I had taken part in this quiz and to offer me the chance to take part in other quizzes.I view this as a data transfer having taken place to a third party and (though I have no idea where B's servers are) data transfer having taken place to a third country. I view this as a transfer, NOT because it has gone to a Data Processor (which is wholly valid), but because it has been processed by B as a Data Controller (in addition to their processing it as A's Data Processor).The ICO disagrees. They are content with the unexpected processing of the data since B asked once and once only of I wished to participate in more of their services.They consider that any agreement between A and B is sufficient to cover this use of data. However they did confirm that multiple emails from B would have made them form a different view. They agreed that the fact of B's office address in China could be a cause for concern with the volume of s[am emanating form China, but still feel that the unexpected processing by B of my data, given freely to A but not to B is valid.The ICO and I agreed that, while there is a possible PECR issue top answer, that the Chinese angle makes this impossible to pursue, even (probably) against A.A, by the way, is part of the UK Law Enforcement organisation.I'm much interested in your thoughts. The thought of "Oh no, Tim, not again!" need not be said!
Tim Trent - Consultant
Tel: +44 (0)7710 126618
web: ComplianceAndPrivacy.com - where busy executives go to find the news first
personal blog: timtrent.blogspot.com/ - news, views, and opinions
personal website: Tim's Personal Website - more than anyone needs to knowImportant: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. This email and any attachment(s) are believed to be virus-free, but it is the responsibility of the recipient to make all the necessary virus checks. This email and any attachments to it are copyright of Meadowood Associates, owners of Compliance And Privacy, unless otherwise stated. Their copying, transmission, reproduction in whole or in part may only be undertaken with the express permission, in writing, of Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell, Berkshire, RG12 0TT.
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)