Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri.

Slides:



Advertisements
Similar presentations
ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.
Advertisements

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Auditing, Assurance and Governance in Local Government
RELATIONSHIP BETWEEN THE MANAGING AUTHORITIES AND THE PAYING AGENCIES IN THE MANAGEMENT OF RURAL DEVELOPMENT PROGRAMMES Felix Lozano, Head of.
Technical Exchange on the new templates of the Delegation Agreement Thursday, 21 th of March 2013 Practitioners’ Network – Brussels.
The Data Protection (Jersey) Law 2005.
Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
Europol’s tailor-made data protection framework
1 12 th Implementation Group Meeting 26 th March 2009 Establishing a SAO in the CS Region.
EU: Bilateral Agreements of Member States
TUTORIAL Grant Preparation & Project Management. Grant preparation What are the procedures during the grant preparations?  The coordinator - on behalf.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Energy investments in the EU and Russia
Data Protection Overview
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.
Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Prime Responsibility for Radiation Safety
Processing on behalf of the controller Joint control under Regulation 45/2001.
Expert group meeting on draft delegated act on the European code of conduct on partnership (ECCP) under cohesion policy
EUNetPaS is a project supported by a grant from the EAHC. The sole responsibility for the content of this presentation lies with the author(s). The EAHC.
1 WIPO – Geneva – April 2005 European Commission – Research DG D. Dambois European Patent Attorney IPR disputes in international.
Bent Egebart - Corsortium agreements The Commission demand it, but do not check it (?) The Community is not a party to these agreements.
Towards improvement: Institution of appeal in public procurement – topical procedural and evidentiary issues Kyiv, April , 2012 Oleksandr Voznyuk.
Preparation of future ENI CBC programmes - State of Play Vanessa De Bruyn (DG DEVCO) 3 December 2012.
The 4 th Railway Package: Impact for the keepers Clio Liégeois.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
© 2004 The IPR-Helpdesk is a project of the European Commission DG Enterprise, co-financed within the fifth framework programme of the European Community.
Legal Framework and Structure. Public Internal Financial Control Strategy ( ) focuses on three activities Institution of a Centralized Harmonization.
Megan Richards 6FP - Contract 18 March 2003 Sixth Framework Programme CONTRACTS.
Presentation Title Data Protection The new EU Regulation Insert your logo here.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
1 M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 9 – Financial Services Bilateral.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
European Life Sciences Infrastructure for Biological Information ELIXIR Collaboration Agreement Template ELIXIR/2014/10 Vera Herkommer.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
© CENTER FOR INFORMATION TECHNOLOGY SERVICES UNIVERSITY OF OSLO USIT Page 1 Re: Study on the privacy issues arising with the public pan-European White.
Industry 4.0 – New ways of cooperative working – are we prepared?
Transnational training seminar for potential Lead Partners and Partners to INTEREGG IIIB-CADSES procedures for 3° call for proposal CADSES implementation.
GDPR (General Data Protection Regulation)
Issues of personal data protection in scientific research
INTERCONNECTION GUIDELINES
PRESENTATION OF MONTENEGRO
Obligations of Educational Agencies: Parents’ Bill of Rights
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation
Data protection issues in regulatory investigations
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
Data Protection Reform in Local Government
EU Reference Centres for Animal Welfare
Processing on behalf of the controller
G.D.P.R General Data Protection Regulations
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
The role of the ECCP (1) The involvement of all relevant stakeholders – public authorities, economic and social partners and civil society bodies – at.
INTELLECTUAL PROPERTY RIGHTS (IPR) IN FP7
Welcome!.
The activity of Art. 29. Working Party György Halmos
GDPR & Accountability ISACA Ireland Annual Conference 2018
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
European Company Law Dorota Wieczorkowska
Processing on behalf of the controller
Presentation transcript:

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri

8 June 2011 CONCEPT OF CONTROLLER Definition in Art.2(d) - autonomous concept intended to allocate responsibilities ( WP29 – Opinion 1/2010 )  It is the institution/agency which shall be considered as ultimately responsible for data processing and obligations  A person may be designated, but will act on behalf of the institution/agency

8 June 2011 A specific identity is important: as interface/contact person for the data subjects’ rights to ensure data quality (according to Art.4(2)), full compliance with data protection principles, Transparency But ultimate responsibility lies with the institution/agency!

8 June 2011 CONCEPT OF PROCESSOR Definition in Art.2(e) - Its existence and lawfulness is determined by the mandate given by the controller ( WP29 – Opinion 1/2010) 2 conditions for being a processor:  External separate entity  Processing data on behalf of the controller

8 June 2011 Examples  Services & units – JRC  HR Department & confidential counsellors – FRA = CO-RESPONSIBILITY  Draft implementing rules – ERCEA Legally, controllership remains at the institution/agency A system of controller-processor within an agency is not possible

8 June 2011 EXAMPLES OF EXTERNAL OUTSOURCING the Commission's medical service acts as processor to an agency and the processing is governed by a SLA (JOH-18 agencies ), an external medical centre carries out some or most of the medical exams on behalf of an agency and the medical advisor processes medical data at the agency's premises on behalf of an agency an insurance company reimburses data subjects in case of accident/occupational disease by processing medical data on behalf of the EP ( ) and Council ( )

8 June 2011 JOINT CONTROL A/ Large scale IT systems CPCS: competent authorities in M.S, Single Liaison Offices (specific public authorities in M.S), Commission ( )  EDPS: Each competent authority, as a user, acts as a controller under national DP law and is responsible i.e for the relevance and accuracy of the info uploaded Each SLO, as a coordinator, acts as a controller to their own activities, The Commission operates the system, ensures the security of the data exchanged, has exclusive role in carrying out deletion of cases …

8 June 2011 EWRS: Commission, ECDC, M.S contact points, Steria ( )  EDPS: Commission (operation role) & ECDC (risk assessment role) are co-controllers of the system COMM has a read and write access + responsible for accuracy/proportionality, acts as a separate controller ECDC has only a read access + evaluates if it is entitled to make transfers to 3 rd parties, acts as a separate controller M.S are responsible for their own processing operations when using EWRS and act as separate controllers Steria is a subcontractor of ECDC hosting EWRS

8 June 2011 B) Research Projects PROTECT: EMA, member of a consortium, Steering Committee, Outcome ( ) Is EMA a joint controller?  EDPS: notion of controller should be considered with regard to the consortium as a whole:  Members of the consortium remain responsible for the decision making despite delegation to S.C  The S.C acts without specific autonomy and it only takes decision on behalf of the consortium, whose members co-decide

8 June 2011 EMA should be considered as one of the controller(s), which determines the purposes and means of the processing, as a member of the consortium Outcome acts as a processor + a principal controller, since it is also a member of consortium and it is actually processing personal data Different levels of responsibilities, jointly or solely should be distinguished in a written agreement

8 June 2011 Article 23 REQUIREMENTS The contract or legal act should include that: the processor shall act only on instructions from the controller (Article 23(2)(a)); the obligations with regard to confidentiality (Art.21) and security measures (Art.22) should be incumbent on the processor (Article 23(2)(b)) unless the processor is subject to a national law of one of the M.S, then by virtue of Article 17 (3), second indent, of Directive 95/46/EC, those obligations are incumbent on the processor (Article 23(2)(b)).

8 June 2011 ARTICLE I.X-DATA PROTECTION “Any personal data included in or relating to the Contract, including its execution shall be processed pursuant to Regulation 45/2001…It shall be processed solely for the purposes of the performance, management…The Contractor shall have the right of access to his personal data and the right to rectify any such data that is inaccurate or incomplete. Should the Contractor have any queries concerning the processing of his personal data, he shall address them to the institution/agency. The Contractor shall have the right of recourse at any time to the EDPS”.

8 June 2011  Mere reference to the contractor’s personal data and right of access to them is not sufficient  Data subjects should also be included since part/all of their data are processed by the processor within the execution of the contract Where there is reference to “the Contractor”, institutions/agencies should add the phrase “and the data subjects whose data are processed by the Contractor”

8 June 2011 CONCLUSIONS  The determination of purposes, means, joint/single control stem from legal and factual circumstances  Need for clear and unambiguous designation of controllers/processors in a written agreement  Need for clear and specific allocation of responsibilities  The controller(s) remains responsible on substance: (Lawfulness, quality, retention, transfer, notice, rights, security ….)  The controller may allow the processor to choose the most suitable technical and organisational means

8 June 2011 Any questions?