Presentation is loading. Please wait.

Presentation is loading. Please wait.

Processing on behalf of the controller Joint control under Regulation 45/2001.

Published byBlanche Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Processing on behalf of the controller Joint control under Regulation 45/2001."— Presentation transcript:

1 Processing on behalf of the controller Joint control under Regulation 45/2001

2 8 June 2011 CONCEPT OF CONTROLLER Definition in Art.2(d) - autonomous concept intended to allocate responsibilities ( WP29 – Opinion 1/2010 )  It is the institution/agency which shall be considered as ultimately responsible for data processing and obligations  A person may be designated, but will act on behalf of the institution/agency

3 8 June 2011 A specific identity is important: as interface/contact person for the data subjects’ rights to ensure data quality (according to Art.4(2)), full compliance with data protection principles, Transparency But ultimate responsibility lies with the institution/agency!

4 8 June 2011 CONCEPT OF PROCESSOR Definition in Art.2(e) - Its existence and lawfulness is determined by the mandate given by the controller ( WP29 – Opinion 1/2010) 2 conditions for being a processor:  External separate entity  Processing data on behalf of the controller

5 8 June 2011 EXAMPLES OF EXTERNAL OUTSOURCING the Commission's medical service acts as processor to an agency and the processing is governed by a SLA, an external medical centre carries out some or most of the medical exams on behalf of an agency and the medical advisor processes medical data at the agency's premises on behalf of an agency an insurance company reimburses data subjects in case of accident/occupational disease by processing medical data on behalf of the EP and Council

6 8 June 2011 JOINT CONTROL/CONTROLLERSHIP Large scale IT systems The Custom Information system (CIS) case OLAF and the competent authorities in the MS are co-controllers. Why? Some of the tasks of a controller cannot be fulfilled by OLAF. The uploading and amending of data, the decision on whether or not to extend storage for CIS cases, is done by the competent authorities in the MS + They are the only ones capable of changing data uploaded by them so the right to rectification (incumbent on the controller, Art. 14) is to be ensured by them + They are the one authorising transfers to third countries.

7 8 June 2011 Competent authorities cannot be regarded as mere users of the system. Their decisions have significant impact on the purposes of the processing. CIS mirrors other large-scale IT systems such as EURODAC in which the Commission is responsible for the setting up and the operational management, but not for the actual content of the data uploaded to the system: OLAF sets up the system, gives concrete form to the autorisation in the legal basis: it partly determines the means and purposes of processing. So do the competent authorities of the MS. Each controller is responsible of its own processing operations.

8 8 June 2011 Article 23 Processing of personal data on behalf of controllers REQUIREMENTS The contract or legal act binding the controller and the processor should include that: the processor shall act only on instructions from the controller (Article 23(2)(a)); the obligations with regard to confidentiality (Art.21) and security measures (Art.22) should be incumbent on the processor (Article 23(2)(b)) unless the processor is subject to a national law of one of the M.S, then by virtue of Article 17 (3), second indent, of Directive 95/46/EC, those obligations are incumbent on the processor (Article 23(2)(b)).

9 8 June 2011 ARTICLE I.X-DATA PROTECTION “Any personal data included in or relating to the Contract, including its execution shall be processed pursuant to Regulation 45/2001…It shall be processed solely for the purposes of the performance, management…The Contractor shall have the right of access to his personal data and the right to rectify any such data that is inaccurate or incomplete. Should the Contractor have any queries concerning the processing of his personal data, he shall address them to the institution/agency. The Contractor shall have the right of recourse at any time to the EDPS”.

10 8 June 2011  Mere reference to the contractor’s personal data and right of access to them is not sufficient  Data subjects should also be included since part/all of their data are processed by the processor within the execution of the contract Where there is reference to “the Contractor”, institutions/agencies should add the phrase “and the data subjects whose data are processed by the Contractor”

11 8 June 2011 CONCLUSIONS  The determination of purposes, means, joint/single control stem from legal and factual circumstances  Need for clear and unambiguous designation of controllers/processors in a written agreement  Need for clear and specific allocation of responsibilities  The controller(s) remains responsible on substance: (Lawfulness, quality, retention, transfer, notice, rights, security ….)  The controller may allow the processor to choose the most suitable technical and organisational means

12 8 June 2011 Any questions?

Download ppt "Processing on behalf of the controller Joint control under Regulation 45/2001."

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.

The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 

Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 
Europol’s tailor-made data protection framework

Europol’s tailor-made data protection framework
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
Outsourcing: The Ethical Issues Steven M. Richman November 2014.

Outsourcing: The Ethical Issues Steven M. Richman November 2014.
THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS
Migration Law Schengen Information System by Konrad Wilk.

Migration Law Schengen Information System by Konrad Wilk.
Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri.

Processing on behalf of the controller Joint control under Regulation 45/2001 Xanthi Kapsosideri.
TAIEX Seminar on the Directive on Services in the Internal Market Warsaw, 31.03.2008 Freedom to Provide Services Clause Article 16 Sophie Malétras.

TAIEX Seminar on the Directive on Services in the Internal Market Warsaw, Freedom to Provide Services Clause Article 16 Sophie Malétras.
Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.

Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.
Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.
The 3rd package for the internal energy market Key proposals EUROPEAN COMMISSION Heinz Hilbrecht Directorate C - Security of supply and energy markets.

The 3rd package for the internal energy market Key proposals EUROPEAN COMMISSION Heinz Hilbrecht Directorate C - Security of supply and energy markets.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
Undertakings for collective investment in transferable securities (UCITS) Worldbank Global Development Learning Network The Advanced Program in Accounting.

Undertakings for collective investment in transferable securities (UCITS) Worldbank Global Development Learning Network The Advanced Program in Accounting.

Similar presentations

Ads by Google