Many thanks to Peter and Paul for their comments which have helped clarify my thinking.
I do not have a problem with C only having an agreement with A, with B being a sub processor providing it is properly drafted - which follows logically from Paul's analysis.
Also I am happy that A who has specified the app does not thereby necessarily become a data controller - C chooses to use the app and can control the contract terms (or walk away) . I could think of arrangements where A would become DC but in the specific example I have in mind that would be most inappropriate as it is sensitive health data and C would not want anyone else having DC rights and responsibilities.
Of course there is an issue if A is continuing to develop and improve the app - if that were to change the way the data was managed significantly (e.g. deleting a field). Again that would come down to careful drafting to ensure that A could not unilaterally impose such a change with C always being in control of purpose and method - or again walking away with its data.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|