Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

European Data Protection Law > Seminar 9+10 - Concepts of processors and controllers > Flashcards

Seminar 9+10 - Concepts of processors and controllers Flashcards

You may prefer our related Brainscape-certified flashcards:
MBE flashcards MPRE flashcards Civil Procedure 1L flashcards
1
Q

What are the relevant provisions?

A 
●	Art. 24 (Controllers)
●	Art. 26 (Joint controllers)
●	Art. 27 (Representatives in EU when controller/processor outside the EU) 
●	Art. 28 (Processor)
●	Art. 28(3) (data protection agreement)
●	Art. 28(4) (Sub-processor)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the definition of a controller? And where is that found in GDPR?

A

A natural or legal person which, alone or jointly, determines the means and purposes of processing the personal data of others (art. 4(7))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What obligations do controllers have?

A

The controller “shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing in performed in accordance with GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is joint controllership? And where is that found in the GDPR?

A

Where two or more controllers jointly determine the purpose and means of processing, they are considered joint controllers, cf. art. 26.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is the liability in joint controllership?

A

Each controller or processor can be held fully liable for the entire damage caused by processing under joint controllership (art. 82(4) of the GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the case (Wirtschaftsakademie) explain about joint controllership?

A

CJEU found that the operator of a social network (FB) and the administrator of a fan page on that network are jointly responsible for the processing of personal data on that page. The controllers do not, however, necessarily share equal responsibility as they may be involved at different stages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the definition of a processor?

A

Processes personal data on behalf of the controller (strict instructions) (art. 4(8)).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can processors be controllers?

A

○ Processors will also be data controllers in their own right in relation to the processing they perform for their own purposes (art. 28(10))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a sub-processor?

A

where a processor engages another processor for carrying out specific processing activities on behalf of the controller (often a specific task)
○ The processor shall not engage another processor without prior specific or general written authorisation of the controller (GDPR art. 28(2))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who is liable for a sub-processor?

A

○ The initial processor remains fully liable to the controller where a sub-processor fails to fulfil its data protection obligations (GDPR art. 28(4))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are two circumstances a DPA is required?

A

● GDPR art. 28(3): every time a controller uses a processor

● GPDR art. 28(4): every time a processor uses a sub-processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name some general requirements for a DPA?

A

○ The contract shall be in writing, including in electronic form (art. 28(9))
○ The contract must be binding on the processor and set out: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (art. 28(3))
○ Before employing a sub-processor, the processor must inform the controller and obtain its prior specific (opt-in) or general (opt-out) written authorization (art. 28(2))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a requirement when a controller or processor is established outside of the EU?

A

When a controller or processor is established outside of the EU, that company needs to appoint, in writing, a representative within the EU, cf. GDPR art. 27 (1).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens if there is no DPA between a controller and processor?

A

Having no such contract is an infringement of the controller’s obligation to provide written documentation of mutual responsibilities, and could lead to sanctions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
1. Company A enters into contracts with different organisations to carry out its mail marketing campaigns and to run its payroll. It gives clear instructions (what marketing material to send out and to whom, and who to pay, what amounts, by what date etc). Even though the organisations have some discretion (including what software to use) their tasks are pretty clearly and tightly defined and though the mailing house may offer advice (e.g. advising against sending mailings in August) they are clearly bound to act as A instructs.

A

Company A is Datacontroller

The organisaions are dataprocessers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
Company MarketinZ provides services of promotional advertisement and direct marketing to various companies. Company GoodProductZ concludes a contract with MarketinZ, according to which the latter company provides commercial advertising for GoodProductZ customers and is referred to as data processor. However, MarketinZ decides to use GoodProducts customer database also for the purpose of promoting products of other customers.

A

GoodProductZ is datacontroller

MarketinZ is Dataprocessor for the data, but the data they furtherly use for their own purpose, they are datacontroller.

17
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
A member of the board of a company decides to secretly monitor the employees of the company, even though this decision is not formally endorsed by the board.

A

The member is datacontroller

18
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
The owner of a building concludes a contract with a security company, so that the latter installs some cameras in various parts of the building on behalf of the controller. The purposes of the video-surveillance and the way the images are collected and stored are determined exclusively by the owner of the building

A

The owner of the building is datacontroller

The surveillance company is dataprocessor

19
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
Private bodies provide mail services on behalf of (public) agencies – e.g. the mailing of family and maternity allowances performed on behalf of the National Social Security Agency.

A

The private body is both a dataprocessor and data depending on the data.
National Social Security Agency is datacontroller for some data.

20
Q

Concepts of Controllers and Processors case. Who is controller vs. processor?
Company Y outsources some of its operations to a call centre and instructs the call centre to present itself using the identity of the data controller when calling the data controller’s clients.

A

Company Y is Datacontroller

Call center is Dataprocessor

21
Q

What is the definition of a controller under CoE law? VS EU Law?

A

Under EU law, a controller is defined as someone who “alone or jointly with others determines the purposes and means of the processing of personal data”. A controller’s decision establishes why and how data shall be processed.

Under CoE law, Modernised Convention 108 defines a ‘controller’ as “the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has the decision-making power with respect to data processing”

22
Q

1

A

1

23
Q

What is a ‘Recipient’ and is it a broader term than ‘third party’? And where is that found in the GDPR?

A

‘Recipient’ is a broader term than ‘third party’. In the meaning of Article 4 (9) of the GDPR, a recipient means “a natural or legal person, public authority, agency or another body, to which data are disclosed, whether a third party or not”.

24
Q

Is the distinction between Recipient and Third Party important?

A

Yes. The distinction between recipients and third parties is important only because of the conditions for lawful disclosure of data.

The employees of a controller or processor may be recipients of personal data without further legal requirement if they are involved in the processing operations of the controller or processor. Whereas, a third party, being separate from the controller or processor, is not authorised to use the personal data a controller processes, unless on specific legal grounds in a specific case.

25
Q

What was C-25/17 Jehova case about? And why is that relevant with regards to joint controllership?

A

CJEU found that Jehovas Witness Community and its individual members who engange in door-to-door preaching are joint controllers.

26
Q

What does C-131/12 Google Spain say about joint controllership?

A

The publishers of the relevant website may also determine the purposes and means of the processing, and thus, the search engine and the publishers are joint controllers.

European Data Protection Law (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions