Controller and Processor standard clauses

By | Monday October 23rd, 2017

The French DPA (CNIL) and Spanish DPA (AGDP) have issued two guides for data processors, namely “Règlement européen sur la protection des données : un guide pour accompagner les sous-traitants” and “Directrices para contratos responsable – encargado” respectively. Furthermore the English DPA (ICO) has published a draft gdpr contracts guidance.

These have a positive impact on who is trying to comply with GDPR, for the following reasons:

  • GDPR improved the 95/46 Directive foreseeing obligations for data processors, but is addressed chiefly to data controllers, and data processor role is dealt with only in few articles (mainly art. 28). The data processor definition itself is data controller related ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  • It is not trivial to determine when an outsourced service falls in the data processor definition or the company performing the service is a data controller itself. The art. 29 WP Opinion 1/2010 on the concepts of “controller” and “processor” is a reference source.
  • The appendix of the guides offer an authoritative example of the contractual clauses for the agreement between data controller and data processor: this is very valuable for organization in their effort to be ready for May 2018 deadline: revisiting all contractual obligation is a time consuming task for both data processor and data controller. Often a service company is in both roles, specifically in a cloud environment.

In the attachment is my own Italian translation of the Appendix to CNIL document.

Another source is the International Regulatory Strategy Group example of contractual clauses

Category: Impact, Risk and Measures Roles and Liabilities Tags: , , , , , ,

About Pastore

Maurizio Pastore career encompassed different fields of Information and Communication technology (sw development, network and system management), operating in different vertical markets (manufacturing, telecommunication, public administration). In the last five years he was focused on information security and privacy. Since 2012 he acted as Data Privacy Officer and as Chief Information Security Officer in Liguria Digitale, the Regione Liguria ICT company. From 2016 he is focused on Privacy & Security Services for Liguria Digitale Customers. Nowadays he is the DPO for Azienda Ospedaliera S.Luigi Orbassano, ASL TO4, ASL TO5, AISM, FISM, Città Metropolitana di Genova.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.