Amit Luhach - International Data Protection Laws

in case of legitimate activities of the non-profit body with political, philosophical, religious or trade union aims26

data made publicly available by the data subject27

in connection with legal claims28

substantial public interest29

preventive or occupational medicine, assessing worker capacity, medical diagnosis, provision of health or social care or treatment, or managing the health or social care systems and services30

public interest in the area of public health31

archiving in the public interest, scientific or historical research or statistics32

5

The controller may involve third parties in the processing of personal data entrusted to it but in this case shall only appoint the processors that have expert knowledge, reliability and resources who guarantee the security of processing, by using appropriate TOMs that protect the personal data of the data subjects, while complying with the GDPR. 1The processor is not allowed to use another processor (sub-processor) without it being approved by the controller. 2This criterion shall ensure that the controller has a say in safeguarding the processing activities. Controller-Processor contracts may relate to any kind of services such as hosting, payroll and marketing. For example – A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees' data. The brewery is the data controller and the payroll company is the data processor. 3

The processing activities between the controller and the processor are to be regulated through a contract or EU or Member State law, in a written or an electronic form 4and must specify the subject matter, duration, nature and purpose of processing activities, and the type of personal data processed and the categories of data subjects, and the controller´s obligation and the rights. 5The processor is allowed to process the personal data only on the instructions of the controller. Any transfer made by the processor to the third country or an international organization shall be with the permission of the controller unless the EU or Member State law provides otherwise. Moreover, the processor must notify the controller before embarking on processing, if the law does not put a restriction on such disclosure. 6The processor shall ensure that the person (mostly an employee) who comes into contact with the personal data during such processing keeps it confidential; accordingly, such person must have received some basic training and guidance on how to handle personal data. 7The processor is required to maintain and document the security of processing from start to end 8and must implement appropriate TOMs which help the controller fulfil its obligations concerning the data subject rights. 9The processor must support the controller in fulfilling his obligations under the GDPR such as security of processing, notification of personal data breach to the supervisory authority, communication of personal data breach to the data subject, DPIA and prior consultation with data protection supervisory authority where such DPIA is likely to result in a high risk to the rights and freedoms of the data subjects. 10At the end of the processing activity, the processor must delete or return the personal data if asked by the controller, unless the EU or Member State law dictates otherwise. 11The controller should be allowed to access the information which the processor has and should be permitted to conduct audits and inspections. 12The terms and conditions and obligations which apply to the processor also apply to the new processor engaged by him, and he should take the approval of the controller before such engagement. Any failure on the part of the second processor must be made right by the original processor. 13The processor is required to comply with the aforementioned provisions by using an approved code of conduct 14or an approved certification mechanism. 15

The contract or EU or Member State law 16governing the relationship between a controller and a processor may be based on standard contractual clauses 17, including when they form part of the certification 18granted to the controller or processor. But such a contract or EU or Member State law must not be detrimental to an individual contract governing the controller and processor relationship. 19The EU Commission retains the right to put in place standard contractual clauses for the matters covered under Article 28 (3) and (4), and in pursuant to the consistency mechanism 20referred under the GDPR. 21

If the processor, by determining the purposes and means of processing infringes the provisions of the GDPR, he shall be treated as a controller without affecting any right to compensation and liability 22; general conditions for imposing administrative fines 23and penalties 24concerning such processing. 25Though specifying a controller or a processor depends on the facts and circumstances of a case, but WP29 has stated that the “ preference should be given to consider as a controller the company or the body as such, rather than a specific person within the company or the body ”. 26The controller or the processor who is based out of EU but processes personal data of the data subjects based in EU 27is obligated to appoint, in writing, a representative in EU 28, unless such processing is occasional or doesn´t cover large scale processing of special categories of data 29or personal data concerning criminal convictions and offences 30and unlikely to cause risks to the data subject´s rights and freedoms 31or is a public authority or body. 32The representative shall be established in the Member State where the data subject is based whose personal data is being processed by such representative. 33To comply with the GDPR, the controller or the processor shall make sure that their representative has an address and contact details which are to be used to contact him by the data protection supervisory authorities and the data subjects, concerning all issues related to the processing. 34The appointment of such a representative shall not affect any legal action or legal claim against the controller or the processor at the initiation of legal proceedings. 35

The processor or any person under the authority of such processor or the controller must not process the personal data of data subjects unless told to do so by the controller or permitted by EU or Member State law. 36

When two or more controllers jointly determine the purposes and means of processing, they become joint controllers. 37 For example, your company offers babysitting services via an online platform. At the same time, your company has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform. 38Again such “joint controller” need to agree on their data processing in an agreement setting out the respective rights and obligations.