An NHS organisation sets up a wholly owned management company - essentially for VAT advantages.
Staff employed by the company effectively manage all security tasks including CCTV operation and related tasks for the organisation, but are subject to all of the organisations policies & procedures, and get all guidance and support from the organisations IG team and DPO, together with approval of any procedures and processes.
There are considerable practical difficulties (contract, day to day control, decision making, accountability etc.) in regarding the company, although it is technically an independent legal entity, as either a controller or processor. Is there any reason why the organisation cannot simply regard the company as neither, but as a "person who, under the direct authority of the controller or processor, is authorised to process personal data" - in effect a 'corporate' employee?
That certainly seems to me a better description of the relationship - the company does as its told like any employee but has a measure of independent action in daily tasks.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
