W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

ACTION-274: Propose non-normative text on service providers to clarify "independent use" (with rvaneijk)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 31 Oct 2012 07:22:02 -0700
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8027484803528@SP2-EX07VS02.ds.corp.yahoo.com>
<Non-normative>

"Under this DNT standard, Service Providers have the same Permitted Uses as a 3rd party and must similarly limit these to only those uses and no further.

For example, if Service Provider ABC has two clients, Company XYZ and Company 123, it is able to retain data for both clients in a consolidated fashion to provide improved security services to all of its customers.  Further to this example, if Service Provider ABC discovers an attack from a specific IP Address to Company XYZ, it can similarly setup a filtering/blocking rule for its other clients, such as Company 123."

<Not sure if this following section is better suited for the Global Considerations document or the Compliance and Scope document>

"In the EU:  Under the EU Directive 95/46/EC, an entity using or processing data is subject to data protection law.  A First Party (EU: data controller) is an entity or multiple entities (EU: joint data
controller) who determines the purposes and means of the data processing.  A Service Provider (EU: data processor) is an entity with a legal contractual relation to the First Party (EU: data controller).  
The Service Provider (EU: data processor) processes personal data on behalf of the First Party (EU: data controller).

- controller and processor definitions 
(http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML)
   (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
   (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
- added "Under this DNT standard, (...)"
Received on Wednesday, 31 October 2012 14:23:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:37 UTC