Processing on behalf of the controller

Slides:

Advertisements

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

Advertisements

The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

The Data Protection (Jersey) Law 2005.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 

Europol’s tailor-made data protection framework

EU: Bilateral Agreements of Member States

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS

Migration Law Schengen Information System by Konrad Wilk.

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri.

TAIEX Seminar on the Directive on Services in the Internal Market Warsaw, Freedom to Provide Services Clause Article 16 Sophie Malétras.

Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

The 3rd package for the internal energy market Key proposals EUROPEAN COMMISSION Heinz Hilbrecht Directorate C - Security of supply and energy markets.

Processing on behalf of the controller Joint control under Regulation 45/2001.

16-17 November 2005 COSCAP – NA Project Steering Group Guangzhou, China 1 Co-operating with the European Aviation safety Agency.

Presentation Title Data Protection The new EU Regulation Insert your logo here.

1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1.State foreign trade regulation 2. Rules of Russian private international law applicable to international contracts.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Freedom to Provide Services Clause Why does the Country of Origin Principle not exist anymore? Martin Frohn.

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

© CENTER FOR INFORMATION TECHNOLOGY SERVICES UNIVERSITY OF OSLO USIT Page 1 Re: Study on the privacy issues arising with the public pan-European White.

Chisinau, Republic of Moldova 2017

Personal Data Protection

HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW

Industry 4.0 – New ways of cooperative working – are we prepared?

GDPR (General Data Protection Regulation)

The 3rd package for the internal energy market

Issues of personal data protection in scientific research

Claude Probst European Aviation Safety Agency

Co-operating with the European Aviation safety Agency

Obligations of Educational Agencies: Parents’ Bill of Rights

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

General Data Protection Regulation

SPCs and the unitary patent package

EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.

Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.

Bob Siegel President Privacy Ref, Inc.

Data Protection Reform in Local Government

Transfers of personal data

Commission proposal for a Directive on

State of the privacy union

G.D.P.R General Data Protection Regulations

The GDPR and research data

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

GDPR Overview and Use Cases.

HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Namibia ICT Ministry and Data Protection Stakeholders.

Relocation CARNIVAL come one…come all

Institutional changes The role of Bilateral Oversight Boards

INTELLECTUAL PROPERTY RIGHTS (IPR) IN FP7

GDPR Workshop MEU Symposium Prague 2018

Data transfers to non-EU countries under the new GDPR

The activity of Art. 29. Working Party György Halmos

Welcome IITA Inbound Insider Webinar: An Introduction to GDPR

This project is funded by the European Union

Data Protection: The new EU Regulation

Themes for training on data protection

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

Session 4: Data Mapping and Data Subject Rights

Session 4: Data Mapping and Data Subject Rights

Processing on behalf of the controller

GDPR Workshop – Partnerships for Jewish Schools

Getting Ready For GDPR Simon Marks Director

Presentation transcript:

Processing on behalf of the controller Joint control under Regulation 45/2001

CONCEPT OF CONTROLLER Definition in Art.2(d) - autonomous concept intended to allocate responsibilities (WP29 – Opinion 1/2010) It is the institution/agency which shall be considered as ultimately responsible for data processing and obligations A person may be designated, but will act on behalf of the institution/agency

A specific identity is important: as interface/contact person for the data subjects’ rights to ensure data quality (according to Art.4(2)), full compliance with data protection principles, Transparency But ultimate responsibility lies with the institution/agency!

CONCEPT OF PROCESSOR Definition in Art.2(e) - Its existence and lawfulness is determined by the mandate given by the controller (WP29 – Opinion 1/2010) 2 conditions for being a processor: External separate entity Processing data on behalf of the controller

EXAMPLES OF EXTERNAL OUTSOURCING the Commission's medical service acts as processor to an agency and the processing is governed by a SLA, an external medical centre carries out some or most of the medical exams on behalf of an agency and the medical advisor processes medical data at the agency's premises on behalf of an agency an insurance company reimburses data subjects in case of accident/occupational disease by processing medical data on behalf of the EP and Council

JOINT CONTROL/CONTROLLERSHIP Large scale IT systems The Custom Information system (CIS) case OLAF and the competent authorities in the MS are co-controllers. Why? Some of the tasks of a controller cannot be fulfilled by OLAF. The uploading and amending of data, the decision on whether or not to extend storage for CIS cases, is done by the competent authorities in the MS + They are the only ones capable of changing data uploaded by them so the right to rectification (incumbent on the controller, Art. 14) is to be ensured by them + They are the one authorising transfers to third countries.

Competent authorities cannot be regarded as mere users of the system. Their decisions have significant impact on the purposes of the processing. CIS mirrors other large-scale IT systems such as EURODAC in which the Commission is responsible for the setting up and the operational management, but not for the actual content of the data uploaded to the system: OLAF sets up the system, gives concrete form to the autorisation in the legal basis: it partly determines the means and purposes of processing. So do the competent authorities of the MS. Each controller is responsible of its own processing operations.

Article 23 Processing of personal data on behalf of controllers REQUIREMENTS The contract or legal act binding the controller and the processor should include that: the processor shall act only on instructions from the controller (Article 23(2)(a)); the obligations with regard to confidentiality (Art.21) and security measures (Art.22) should be incumbent on the processor (Article 23(2)(b)) unless the processor is subject to a national law of one of the M.S, then by virtue of Article 17 (3), second indent, of Directive 95/46/EC, those obligations are incumbent on the processor (Article 23(2)(b)).

ARTICLE I.X-DATA PROTECTION “Any personal data included in or relating to the Contract, including its execution shall be processed pursuant to Regulation 45/2001…It shall be processed solely for the purposes of the performance, management…The Contractor shall have the right of access to his personal data and the right to rectify any such data that is inaccurate or incomplete. Should the Contractor have any queries concerning the processing of his personal data, he shall address them to the institution/agency. The Contractor shall have the right of recourse at any time to the EDPS”.

Mere reference to the contractor’s personal data and right of access to them is not sufficient Data subjects should also be included since part/all of their data are processed by the processor within the execution of the contract Where there is reference to “the Contractor”, institutions/agencies should add the phrase “and the data subjects whose data are processed by the Contractor”

CONCLUSIONS The determination of purposes, means, joint/single control stem from legal and factual circumstances Need for clear and unambiguous designation of controllers/processors in a written agreement Need for clear and specific allocation of responsibilities The controller(s) remains responsible on substance: (Lawfulness, quality, retention, transfer, notice, rights, security ….) The controller may allow the processor to choose the most suitable technical and organisational means

Any questions?