Presentation is loading. Please wait.

Presentation is loading. Please wait.

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri.

Published byCoral Barber Modified over 8 years ago

Similar presentations

Presentation on theme: "Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri."— Presentation transcript:

1 Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri

2 8 June 2011 CONCEPT OF CONTROLLER Definition in Art.2(d) - autonomous concept intended to allocate responsibilities ( WP29 – Opinion 1/2010 )  It is the institution/agency which shall be considered as ultimately responsible for data processing and obligations  A person may be designated, but will act on behalf of the institution/agency

3 8 June 2011 A specific identity is important: as interface/contact person for the data subjects’ rights to ensure data quality (according to Art.4(2)), full compliance with data protection principles, Transparency But ultimate responsibility lies with the institution/agency!

4 8 June 2011 CONCEPT OF PROCESSOR Definition in Art.2(e) - Its existence and lawfulness is determined by the mandate given by the controller ( WP29 – Opinion 1/2010) 2 conditions for being a processor:  External separate entity  Processing data on behalf of the controller

5 8 June 2011 Examples  Services & units – JRC 2008-0141  HR Department & confidential counsellors – FRA 2010-722 = CO-RESPONSIBILITY  Draft implementing rules – ERCEA 2010-341 Legally, controllership remains at the institution/agency A system of controller-processor within an agency is not possible

6 8 June 2011 EXAMPLES OF EXTERNAL OUTSOURCING the Commission's medical service acts as processor to an agency and the processing is governed by a SLA (JOH-18 agencies 2010-0171), an external medical centre carries out some or most of the medical exams on behalf of an agency and the medical advisor processes medical data at the agency's premises on behalf of an agency an insurance company reimburses data subjects in case of accident/occupational disease by processing medical data on behalf of the EP (2006-0303) and Council (2004-0257)

7 8 June 2011 JOINT CONTROL A/ Large scale IT systems CPCS: competent authorities in M.S, Single Liaison Offices (specific public authorities in M.S), Commission (2009-0019 )  EDPS: Each competent authority, as a user, acts as a controller under national DP law and is responsible i.e for the relevance and accuracy of the info uploaded Each SLO, as a coordinator, acts as a controller to their own activities, The Commission operates the system, ensures the security of the data exchanged, has exclusive role in carrying out deletion of cases …

8 8 June 2011 EWRS: Commission, ECDC, M.S contact points, Steria (2009-0137)  EDPS: Commission (operation role) & ECDC (risk assessment role) are co-controllers of the system COMM has a read and write access + responsible for accuracy/proportionality, acts as a separate controller ECDC has only a read access + evaluates if it is entitled to make transfers to 3 rd parties, acts as a separate controller M.S are responsible for their own processing operations when using EWRS and act as separate controllers Steria is a subcontractor of ECDC hosting EWRS

9 8 June 2011 B) Research Projects PROTECT: EMA, member of a consortium, Steering Committee, Outcome (2010-0818) Is EMA a joint controller?  EDPS: notion of controller should be considered with regard to the consortium as a whole:  Members of the consortium remain responsible for the decision making despite delegation to S.C  The S.C acts without specific autonomy and it only takes decision on behalf of the consortium, whose members co-decide

10 8 June 2011 EMA should be considered as one of the controller(s), which determines the purposes and means of the processing, as a member of the consortium Outcome acts as a processor + a principal controller, since it is also a member of consortium and it is actually processing personal data Different levels of responsibilities, jointly or solely should be distinguished in a written agreement

11 8 June 2011 Article 23 REQUIREMENTS The contract or legal act should include that: the processor shall act only on instructions from the controller (Article 23(2)(a)); the obligations with regard to confidentiality (Art.21) and security measures (Art.22) should be incumbent on the processor (Article 23(2)(b)) unless the processor is subject to a national law of one of the M.S, then by virtue of Article 17 (3), second indent, of Directive 95/46/EC, those obligations are incumbent on the processor (Article 23(2)(b)).

12 8 June 2011 ARTICLE I.X-DATA PROTECTION “Any personal data included in or relating to the Contract, including its execution shall be processed pursuant to Regulation 45/2001…It shall be processed solely for the purposes of the performance, management…The Contractor shall have the right of access to his personal data and the right to rectify any such data that is inaccurate or incomplete. Should the Contractor have any queries concerning the processing of his personal data, he shall address them to the institution/agency. The Contractor shall have the right of recourse at any time to the EDPS”.

13 8 June 2011  Mere reference to the contractor’s personal data and right of access to them is not sufficient  Data subjects should also be included since part/all of their data are processed by the processor within the execution of the contract Where there is reference to “the Contractor”, institutions/agencies should add the phrase “and the data subjects whose data are processed by the Contractor”

14 8 June 2011 CONCLUSIONS  The determination of purposes, means, joint/single control stem from legal and factual circumstances  Need for clear and unambiguous designation of controllers/processors in a written agreement  Need for clear and specific allocation of responsibilities  The controller(s) remains responsible on substance: (Lawfulness, quality, retention, transfer, notice, rights, security ….)  The controller may allow the processor to choose the most suitable technical and organisational means

15 8 June 2011 Any questions?

Download ppt "Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri."

Similar presentations

ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.

ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
RELATIONSHIP BETWEEN THE MANAGING AUTHORITIES AND THE PAYING AGENCIES IN THE MANAGEMENT OF RURAL DEVELOPMENT PROGRAMMES 2007-2013. Felix Lozano, Head of.

RELATIONSHIP BETWEEN THE MANAGING AUTHORITIES AND THE PAYING AGENCIES IN THE MANAGEMENT OF RURAL DEVELOPMENT PROGRAMMES Felix Lozano, Head of.
Technical Exchange on the new templates of the Delegation Agreement Thursday, 21 th of March 2013 Practitioners’ Network – Brussels.

Technical Exchange on the new templates of the Delegation Agreement Thursday, 21 th of March 2013 Practitioners’ Network – Brussels.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 

Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
Europol’s tailor-made data protection framework

Europol’s tailor-made data protection framework
1 12 th Implementation Group Meeting 26 th March 2009 Establishing a SAO in the CS Region.

1 12 th Implementation Group Meeting 26 th March 2009 Establishing a SAO in the CS Region.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
TUTORIAL Grant Preparation & Project Management. Grant preparation What are the procedures during the grant preparations?  The coordinator - on behalf.

TUTORIAL Grant Preparation & Project Management. Grant preparation What are the procedures during the grant preparations?  The coordinator - on behalf.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Energy investments in the EU and Russia

Energy investments in the EU and Russia
Data Protection Overview

Data Protection Overview
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.

Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.
Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.

Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.

Similar presentations

Ads by Google