Law
Read books online » Law » GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali



1 ... 9 10 11 12 13 14 15 16 17 ... 71
Go to page:
to data subjects, a joint controller may claim its losses from other joint controllers or processors, if applicable, according to its roles and responsibilities in the processing at stake.

Under the term joint data controllers GDPR has a specific set of requirements, as defined under Article 26 – Joint Controllers. Under GDPR, the term joint data controllers is defined as “where two or more controllers jointly determine the purposes and means of processing”. But in what scenarios would joint data controllers be defined? And how can we identify these? This article looks at joint data controllers GDPR defines in more detail.

Within the definition for joint controllers GDPR states that two or controllers may act as joint data controllers where each party has responsibility, or shared liability, for the data in question. The Article 29 working party guidance expands on this to state that where controllers are acting simultaneously on personal data to provide a service to a consumer this may also result in a joint data controller. For example, if data is collected through a web front end and provided to 2 separate entities who conduct some form of processing, but are ultimately responsible for the security of said data, this may result in joint data controllers. While there is no definitive list of where joint data controllers should be used, it is more often than not when both parties have clear obligations, and liabilities, to the data subjects that joint data controllers should be used.

Joint data controllers by their nature work together to determine how personal data should be processed, and the manner of processing. To confuse matters, the term data controllers in common can be used to describe where two controllers are processing data independent of each other. So using the example provided above, were both entities to jointly decide how to protect and manage personal data collected, they would be joint data controllers. If both parties were independently processing said data, with no arrangements or agreements between each other, then both parties would be data controllers in common.

Why is it so important under GDPR? Well, the obligations for controllers and processors vary. Therefore, it is imperative organisations understand their role with regards to personal data. Joint data controllers must be identified and relationships established so both parties are happy with how data is processed, whereas controllers in common have little interest in how the other party is processing this data, as they are no longer liable for it under GDPR. So for joint data controllers GDPR requires that each party clearly define their responsibilities under the regulation. For example, how would data subject rights be managed between both parties e.g. right to erasure or subject access requests? And how about in situations where one party has differing requirements, how is this communicated and agreed?

The answer is that specific arrangements need to be drawn up where joint data controllers are identified. The term agreement and not contract is key here, it is not mandatory under GDPR to have contracts in place between joint data controllers, although an agreement should be in place that ensures clarity between both parties. Agreements should be drawn up, agreed by both parties and monitored over time as per any contract or agreement with a third party.

The key point is that joint data controllers GDPR requirements are relatively unclear, and it is left to the organisation to identify scenarios where they feel joint data controllers are needed. When those situations arise, both controllers should be clear on what their responsibilities are, and how they will comply with managing personal data securely in a joined up manner.

To summaries:

Joint data controllers are both responsible for determining the processing requirements for personal data under their control.

Joint data controllers are not the same as data controllers in common, who process the same data in different ways. There is no requirement for alignment or agreements to be in place for controllers in common.

Agreements should be in place between joint data controllers which set out the roles and responsibilities for both parties. This does not need to be a contract but should be clear, unambiguous and regularly monitored/reviewed.

Joint data controllers GDPR definitions are not prescriptive. Article 26 only specifies a minimal amount of information so do not under estimate the amount of

work that may be required to determine where joint data controllers may be required.

Establish use cases for joint data controllers and ensure that any new projects, systems or joint ventures, for example, consider that joint data controller agreements may be required.

Under the Directive, joint controllers are generally only liable for the harm for which they are responsible. This means that, in some circumstances (e.g., where one of the joint controllers becomes insolvent) data subjects may not be able to obtain full compensation for any harm arising from the joint processing. The GDPR reverses this approach, making each of the joint controllers fully liable to the data subject. The data subject is therefore entitled to bring a claim against whichever of the joint controllers he or she wishes. Once "full compensation" (a term that is not further explained in the GDPR) has been paid, the joint controller(s) who paid that compensation may then seek to recover damages from any other joint controllers involved in the joint processing. There is an exemption, but it only applies if the controller is not in any way responsible for the harm. Consequently, where a joint controller only has minimal responsibility for that harm, it nevertheless remains liable to pay "full compensation" to affected data subjects. It is likely that, under the GDPR, joint controllers will increasingly seek contractual indemnities from one another prior to commencing any joint processing.


Art. 27 GDPR Representatives of controllers or processors not established in the Union

Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

The obligation laid down in paragraph 1 of this Article shall not apply to:

processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

a public authority or body.

The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

The designation of a representative by the controller or processor shall be without prejudice to legal actions, which could be initiated against the controller or the processor themselves.

Suitable Recitals

Designation of a representative

COMMENTARY:

In the case of application of Article 3 (2), Article 27 of the Regulation requires the controllers and the processors who are not established in the Union to designate in writing a representative, when the Regulation applies to their processing activities. As explained above (see Comment to Article 3.2), the Regulation was made applicable to a controller or a processor who is not established in the Union, where the processing activities are related to the supply of goods or services to such data subjects in the Union, a payment is required or not from such data subjects or to the monitoring of their behaviour, to the extent that it takes place within the European Union.

Let us recall that pursuant to Article 4 (17) of the Regulation, the representative is "a natural or legal person established in the Union designated by the controller or processor in writing pursuant to Article 27 who represents the controller or processor with regard to their respective obligations under this Regulation". Let’s note again that a written agreement is required for such designation.

The provision specifies that this obligation does not apply to processing that is occasional and that does not include, on a large scale, the processing of sensitive data within the meaning of Article 9 (1) or data on convictions and criminal offenses (Art. 10) and is not likely to create risk to the rights and freedoms of natural persons, taking into account the processing nature, context, scope and purposes. This applies even when the controller or the processor is an authority or a public body.

This representative must be established in one of the Member States in which reside the natural persons whose personal data are processed in the context of the supply of goods or services they are offered or whose behaviour is monitored.

The representative, who acts on behalf of the controller or the processor, is namely the point of contact for the supervisory authorities (see Article 58) and the data subjects on all matters relating to the processing of personal data. The representative must be expressly authorised in writing by the controller or the processor to act on their behalf to fulfill their duties under the Regulation and to be consulted in addition to or instead of the controller or the processor, including the supervisory authorities and the data subjects.

This representative is also required to maintain a register of all types of personal data processing activities carried out under their responsibility (see Article 30). The main innovation of the second draft Regulation is to provide the possibility of imposing coercive measures against the representative in case of non-compliance

with this Regulation by the controller (see recital 80 and Article 27 (4) of the Regulation). However, the designation of a representative does not affect the responsibility of the controller or the processor in respect of the authorities and the data subjects, since the designation of a representative is without prejudice to the legal actions could be brought against the controller and the processor themselves. Article 4.2. of the Directive provided that the controller who has no establishment in the EU but which falls under the Union law under the extraterritorial criteria for application of European regulations must designate a representative in the territory of the member State having jurisdiction under Article 4.1. c).


Art. 28 GDPR Processor

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

Takes all measures required pursuant to Article 32;

Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for

the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3. shall be imposed on that other processor by way of a contract or other legal act under

1 ... 9 10 11 12 13 14 15 16 17 ... 71
Go to page:

Free ebook «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment