Controller / processor issue again ....
Company A is conducting research. Companies B C D .... hold personal data. Companies B C D ... agree to pseudonymise the data they hold and submit the pseudonymised data to Company A.
Assume there is no problem with a legal basis - all subjects freely give fully compliant and informed consent.
Company A requires B C D ... to sign a data processing agreement acknowledging that in carrying out the pseudonymisation A is controller since it is determining purpose and method and B C D are just processors. Does that make ANY sense?
In the draft on my desk it leads to some bizarre consequences which A has clearly not thought through. For example one clause requires that B C D ... limit access to the personal data to those carrying out the pseudonymisation which would mean that the data was unavailable to other staff for B C D...'s pre-existing purposes! Is it just that clause (and similar) which are wrong or, as I believe, regarding B C D ... as processors when they are working on their own data is a fallacy.
PS Drafted by smart US lawyers ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|