Controller and Processor definitions and new standard clauses
European data protection regulators have been deliberating on the definitions of a “data controller” and a “data processor” which are increasingly blurred in a world that encompasses cloud computing and significant outsourcing. The Article 29 Working party has produced a new opinion on the definitions and has also adopted a revised set of contractual clauses which allow EU data controllers to export personal data to processors in other countries.
Essentially, the data controller decides how to process the personal data and whether to outsource. The processor (which must be a separate legal entity) acts on behalf of the controller and takes on the obligations to process data fairly and securely. For the first time, the new contracts allow processors to sub-contract on the condition that they pass on the responsibility for data protection via these model clauses.
The big question is when (if at all) does a data processor stray into the controller’s territory and effectively take over the full responsibility of complying with the law not to mention the controller’s liabilities to the data subject. In these new clauses, if a controller ceases to trade and a breach occurs, a processor (or even a sub-processor) could be liable.
The new clauses which come into force on the 15th May 2010 can be accessed via this link.
Other recent items: