Читать книгу International Data Protection Laws - Amit Luhach - Страница 12

5

Data Processing Contracts

Controller–Processor Contracts

The controller may involve third parties in the processing of personal data entrusted to it but in this case shall only appoint the processors that have expert knowledge, reliability and resources who guarantee the security of processing, by using appropriate TOMs that protect the personal data of the data subjects, while complying with the GDPR.¹ The processor is not allowed to use another processor (sub-processor) without it being approved by the controller.² This criterion shall ensure that the controller has a say in safeguarding the processing activities. Controller-Processor contracts may relate to any kind of services such as hosting, payroll and marketing. For example – A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees' data. The brewery is the data controller and the payroll company is the data processor.³

The processing activities between the controller and the processor are to be regulated through a contract or EU or Member State law, in a written or an electronic form ⁴ and must specify the subject matter, duration, nature and purpose of processing activities, and the type of personal data processed and the categories of data subjects, and the controller´s obligation and the rights.⁵ The processor is allowed to process the personal data only on the instructions of the controller. Any transfer made by the processor to the third country or an international organization shall be with the permission of the controller unless the EU or Member State law provides otherwise. Moreover, the processor must notify the controller before embarking on processing, if the law does not put a restriction on such disclosure.⁶ The processor shall ensure that the person (mostly an employee) who comes into contact with the personal data during such processing keeps it confidential; accordingly, such person must have received some basic training and guidance on how to handle personal data.⁷ The processor is required to maintain and document the security of processing from start to end⁸ and must implement appropriate TOMs which help the controller fulfil its obligations concerning the data subject rights.⁹ The processor must support the controller in fulfilling his obligations under the GDPR such as security of processing, notification of personal data breach to the supervisory authority, communication of personal data breach to the data subject, DPIA and prior consultation with data protection supervisory authority where such DPIA is likely to result in a high risk to the rights and freedoms of the data subjects.¹⁰ At the end of the processing activity, the processor must delete or return the personal data if asked by the controller, unless the EU or Member State law dictates otherwise.¹¹ The controller should be allowed to access the information which the processor has and should be permitted to conduct audits and inspections.¹² The terms and conditions and obligations which apply to the processor also apply to the new processor engaged by him, and he should take the approval of the controller before such engagement. Any failure on the part of the second processor must be made right by the original processor.¹³ The processor is required to comply with the aforementioned provisions by using an approved code of conduct¹⁴ or an approved certification mechanism.¹⁵

The contract or EU or Member State law¹⁶ governing the relationship between a controller and a processor may be based on standard contractual clauses¹⁷, including when they form part of the certification¹⁸ granted to the controller or processor. But such a contract or EU or Member State law must not be detrimental to an individual contract governing the controller and processor relationship.¹⁹ The EU Commission retains the right to put in place standard contractual clauses for the matters covered under Article 28 (3) and (4), and in pursuant to the consistency mechanism²⁰ referred under the GDPR.²¹

If the processor, by determining the purposes and means of processing infringes the provisions of the GDPR, he shall be treated as a controller without affecting any right to compensation and liability²²; general conditions for imposing administrative fines²³ and penalties²⁴ concerning such processing.²⁵ Though specifying a controller or a processor depends on the facts and circumstances of a case, but WP29 has stated that the “preference should be given to consider as a controller the company or the body as such, rather than a specific person within the company or the body”.²⁶ The controller or the processor who is based out of EU but processes personal data of the data subjects based in EU²⁷ is obligated to appoint, in writing, a representative in EU²⁸, unless such processing is occasional or doesn´t cover large scale processing of special categories of data²⁹ or personal data concerning criminal convictions and offences³⁰ and unlikely to cause risks to the data subject´s rights and freedoms³¹ or is a public authority or body.³² The representative shall be established in the Member State where the data subject is based whose personal data is being processed by such representative.³³ To comply with the GDPR, the controller or the processor shall make sure that their representative has an address and contact details which are to be used to contact him by the data protection supervisory authorities and the data subjects, concerning all issues related to the processing.³⁴ The appointment of such a representative shall not affect any legal action or legal claim against the controller or the processor at the initiation of legal proceedings.³⁵

Processing under Authority of Controller or Processor

The processor or any person under the authority of such processor or the controller must not process the personal data of data subjects unless told to do so by the controller or permitted by EU or Member State law.³⁶

Joint Controllership

When two or more controllers jointly determine the purposes and means of processing, they become joint controllers.³⁷ For example, your company offers babysitting services via an online platform. At the same time, your company has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.³⁸ Again such “joint controller” need to agree on their data processing in an agreement setting out the respective rights and obligations.

Controller, Processor and Joint Controllers Checklists

The below checklist sets out indicators as to whether you are a controller, processor or joint controllers. The more boxes you tick, more likely you are to fall within the relevant category.³⁹

Are you a controller?

☐ You decided to collect or process personal data.

☐ You decided what the purpose or outcome of the processing was to be.

☐ You decided what personal data should be collected.

☐ Deciding which individuals to collect personal data about.

☐ You get commercial gain or benefits from processing, except for any payment for services from another controller.

☐ You process personal data as a result of a contract between us and the data subject.

☐ The data subjects are our employees.

☐ You make decisions about individuals concerned as part of or as a result of processing.

☐ You exercise professional judgement in personal data processing.

☐ You have a direct relationship with the data subjects.

☐ Complete autonomy as to how personal data processed.

☐ You have appointed the processors to process the personal data on our behalf.

Are you a processor?

☐ You are following instructions from someone else regarding the processing of personal data.

☐ You were given the personal data by a customer or a similar third party or told what data to collect.

☐ You do not decide to collect personal data from individuals.

☐ You do not decide what personal data should be collected from individuals.

☐ You do not decide the lawful basis for the use of that data.

☐ You do not decide what purpose or purposes the data will be used for.

☐ You do not decide whether to disclose the data or to whom.

☐ You do not decide how long to retain the data.

☐ You may make some decisions on how data is processed, but implement these decisions under a contract with someone else.

☐ You are not interested in the end result of the processing.

Are you joint controllers?

☐ You have a common objective with others regarding the processing.

☐ You are processing the personal data for the same purpose as another controller.

☐ You are using the same set of personal data (e.g. one database) for this processing as another controller.

☐ You have designed this process with another controller.

☐ You have common information management rules with another controller.