PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

Controller and Processor definitions and new standard clauses

European data protection regulators have been deliberating on the definitions of a “data controller” and a “data processor” which are increasingly blurred in a world that encompasses cloud computing and significant outsourcing. The Article 29 Working party has produced a new opinion on the definitions and has also adopted a revised set of contractual clauses which allow EU data controllers to export personal data to processors in other countries.

Essentially, the data controller decides how to process the personal data and whether to outsource. The processor (which must be a separate legal entity) acts on behalf of the controller and takes on the obligations to process data fairly and securely. For the first time, the new contracts allow processors to sub-contract on the condition that they pass on the responsibility for data protection via these model clauses.

The big question is when (if at all) does a data processor stray into the controller’s territory and effectively take over the full responsibility of complying with the law not to mention the controller’s liabilities to the data subject. In these new clauses, if a controller ceases to trade and a breach occurs, a processor (or even a sub-processor) could be liable.

The new clauses which come into force on the 15th May 2010 can be accessed via this link.

Other recent items: