PAGE 3 PRIVACY & DATA PROTECTION VOLUME 10, ISSUE 5 T he distinction between ments could just as readily lead Working Party data ‘controller’ and data to other service providers being ‘processor’ lies at the heart characterised as data controllers of the EU Data Protection in circumstances that they had confirms Directive 95/46/EC (the ‘Directive’), not anticipated. This would have not least because the characterisa- significant consequences for contract tion as either controller or processor governance and risk management, ‘controller’ determines the extent of a party’s as well as implications for the pricing legal obligations under the Directive. model. Experience has demonstrated that and ‘processor’ establishing whether a party is a Shortly after the SWIFT decision, controller or a processor in practical the Article 29 Working Party terms is fraught with difficulty. The signalled that it would provide increase in collaborative business further guidance on these key distinction models, the dynamic nature of the definitions, seeking to distinguish relationships between customer and the two roles. There was a degree of vendor, the advent of cloud comput- speculation at this time that it might ing and the growing use of web 2.0 be easier to abandon the controller/ models, frequently result in a blur- processor distinction altogether and ring of the line between controller to replace it with the more pragmatic Bridget Treacy, Partner and processor. concepts of ‘responsible person’ and ‘processing service provider’. at Hunton & Williams, Against this background and the somewhat controversial Opinion However, in its recent Opinion discusses the Article on SWIFT in 2006, the Article 29 the Working Party concluded that 29 Working Party’s Working Party has examined the the distinction between controller concepts of ‘controller’ and ‘processor’ and processor remains relevant clarification of the in some detail in its recently issued and workable, and therefore the Opinion 1/2010 (available from the controller/processor framework will concepts of data controller Justice and Home Affairs section remain. In light of the confirmation, and data processor of www.europa.eu). organisations must continue to analyse closely the nature of their data processing activities. Background to Opinion 1/2010 Exploring the meaning of ‘controller’ When the Article 29 Working Party analysed the data processing activities of SWIFT in 2006, it The characterisation of a party as determined that SWIFT, together a controller is important as it deter- with its financial institution clients, mines which (or whose) local law will was a co-controller in relation to govern the data processing activities. the personal data it processes. The relevant entity will need to en- sure that there is a legitimate basis The characterisation of SWIFT as for processing data and comply with a co-controller, with all of the atten- local registration requirements. dant controller obligations under The entity will also be responsible the Directive, was surprising given for providing individuals with access SWIFT’s role as a service provider to their data and dealing with facilitating the settlement of interna- their data protection rights more tional financial transactions. At the generally. time, commentators expressed con- siderable sympathy for SWIFT and The Directive defines a controller regarded the Opinion as extreme. as “the person or entity that deter- mines, alone or jointly with others, Some drew a parallel with Royal the purposes and the means of the Mail, making the point that a mere processing of personal data.” The messenger should not have the legal definition points to three characteris- responsibilities of a co-controller. tics: separate legal personality, the In addition, outsource vendors ability to act alone or with others, and other service providers were and a degree of control over the concerned by the obvious implica- data processing activity. tions for them. Applying the SWIFT analysis to many outsourced arrange- (Continued on page 4)
PAGE 4 PRIVACY & DATA PROTECTION VOLUME 10, ISSUE 5 the processing activity, the Working manoeuvre.” (Continued from page 3) The aspect of the definition Party resorts to general phrases such that causes the greatest difficulty as “level of influence” and “margin of More helpfully, the Working Party in practice is the points to three final element: the issues for ability to determine consideration: Example Controller or Reasons the ‘purposes and processor 1) the level of means’ of the data instruction that processing activity. Telecom Both Controller for traffic and billing the controller The Working Party operator data. Otherwise processor. provides to the confirms that this processor — this is a factual issue, will likely deter- Business Processor Provided scope of vendor’s yet the facts are mine the proces- process services are clearly defined often difficult sor’s margin of outsourcing and vendor is not permitted to analyse. manoeuvre in vendor to use the data for other relation to the (e.g. mail “added value” purposes. Frequently in data processing; marketing and contract negotia- payroll) tions, there is 2) whether the lengthy debate controller monitors Headhunters Ambiguous Controller in relation to as to the extent service perform- of control over but likely candidates. ance and delivery the purposes and co-controller — if the controller means of the proc- Co-controller or processor in closely supervises essing. The reality relation to client. the processor’s is that the parties compliance with tend to focus on Added value services of matching the contract, this purpose, rather against and existing database of may be an indica- than means, as the candidates points towards tor that the control- determining factor, co-controller. ler is in full control taking the view of the processing Social Controller Users also likely to be controller, that the means activities. network service unless household exemption by which the Conversely, providers applies. processing occurs is a “hands off” usually a technical approach by the Behavioural Controller Publisher is a controller. issue for the proces- controller may advertising Ad network provider is a sor to determine increase the controller. once the controller likelihood that has specified the the processor If collaborate, publisher and ad purposes of the assumes co- network provider may be joint processing. In its controller controllers. Opinion, the Work- responsibilities; ing Party refers to Accountants Both Controller where providing and both the technical general professional services. 3) data subjects’ and organisational expectations — aspects of ‘means’, Where retained for specific tasks if the controller and acknowledges under the supervision of in-house is highly visible that both elements team, e.g. internal audit, to data subjects, may be delegated processor. then it is less to the processor. likely that the Where negligence or fraud is processor will have The Opinion detected, controller in a co-controller role. provides some help- discharging professional ful examples of the obligations to report. controller/processor Exploring analysis. A selection Clinical drug trials Fact dependent Whether the sponsoring drug of these are summa- the meaning company and the trial centre are rised in the table. of ‘processor’ joint controllers depends on how the particular trial is set up and Unsurprisingly, whether the sponsor determines The Directive in describing the the purposes and means of the defines a processor degree of discretion processing. In some trials, the as “the person that a controller researcher may have greater or entity that must exercise to discretion. processes personal determine the data on behalf of purposes of the controller.”
Recommend
More recommend
