Print

Print

Renzo,

I do not see a problem with your approach. Two things are being conflated. The decision to choose a processor and the processing they will carry out.

 

Unless you have a unique situation, I do not see why you would need SPD to select a supplier. Thus, no PD so no SPD so no need to find conditions.

 

Once you decide on a supplier, they become part of your organisation for the purposes of the DPA. (I put that crudely but they are your agent and as such are an extension of your organisation contractually.)

 

Once they are part of the organisation they would process the data based on the conditions that allowed your organisation to process the information in the first place. They would have to object to the organisation not the processor if they had an issue. If the client did not like your supplier, then they could object if the processing for the SPD was on condition 1 of Schedule 3.  They could take their business elsewhere.

 

I would be interested in the argument that says that the decision to select a supplier entails processing of SPD.

 

I hope this helps. Please let me know if I have misunderstood the issue.

 

Best,

 

Lawrence

 

 

 

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Marchini, Renzo
Sent: 20 January 2015 17:58
To: [log in to unmask]
Subject: Outsourcing and sensitive personal data

 

Here’s a conundrum that comes up in my day to day practice every now and again and I wondered what the board thought of it.

 

·         The definition of “Processing” includes any operation on data.

 

·         Does the appointment of an outsourced service provider to process data for the controller in itself constitute an act of processing (such as “disclosure” to a third party)?

 

·         If it did, then the data controller of course needs to comply with a Schedule 2 condition and paragraph 6 is the nature one to consider in most cases.

 

·         However, if sensitive personal data is involved you also need a Schedule 3 condition. There is no obvious candidate: express consent being impractical even if potentially obtainable.   

 

·         Conclusion: you cannot use an outsourced service provider to process sensitive personal data!

 

The only way out of this conundrum that I see is to take a very narrow reading of “processing” and conclude that appointing a service provider is not in itself something that needs to be justified under Schedule 2 or 3 as an act of processing.

 

At least that’s the way I’ve approached it to date.  A conversation I have just had with a German data protection lawyer has made me question my approach.

 

I assume that some colleagues have been involved in outsourcing of the processing of, say, health data (or even plain vanilla HR data which may also contain sensitive data).

 

Any thoughts gratefully received!

 

Thanks!

 

 

 

 

Renzo Marchini

Special Counsel
Dechert LLP
+44 20 7184 7563 Direct

This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)




Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)