International E-news - March 2010
1. EU Article 29 DP Working Party publishes opinion on processor and controller
The European Union’s Art. 29 Data Protection Working Party, (the group of national Data Protection Authorities) has now issued its opinion on the concepts of "controller" and "processor”, giving some indication of who is responsible for complying with DP law in various circumstances. The group says that there are two basic conditions for qualifying as a processor:
- Being a separate legal entity from the controller, and
- Processing personal data on his behalf.
‘This processing activity may be limited to a very specific task or context or may accommodate a certain degree of discretion about how to serve the controller's interests, allowing the processor to choose the most suitable technical and organizational means,’ the group says.
Furthermore, ‘the role of processor does not stem from the nature of an actor processing personal data but from its concrete activities in a specific context and with regard to specific sets of data or operations. Some criteria may be helpful in determining the qualification of the various actors involved in the processing: the level of prior instruction given by the data controller; the monitoring by the data controller of the level of the service; the visibility towards data subjects; the expertise of the parties; the autonomous decision-making power left to the various parties.’
The opinion helpfully includes some examples: e.g. payroll processing companies would clearly be data processors.
Read more of what this means in the next Privacy Laws & Business International Newsletter, in April.
The Opinion, adopted on 16 February was published on 25th February.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2010