- From: Rob van Eijk <rob@blaeu.com>
- Date: Sun, 12 Feb 2012 15:51:34 +0100
- To: Rigo Wenning <rigo@w3.org>
- CC: "Amy Colando (LCA)" <acolando@microsoft.com>, MeMe Rasmussen <meme@adobe.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
On 3-2-2012 21:26, Rigo Wenning wrote: > Here is my suggested text: > For the EU, the outsourcing scenario is clearly regulated. In the current EU > Directive 95/46/EC, but also in the suggested regulation reforming the data > protection regime, an entity using or processing data is subject to data > protection law. An entity acting as a first party and contracting services of > another party is responsible for the overall processing. If the third party > has own rights and privileges concerning the processing of the data collected > by the first party, it isn't a data processor anymore and thus not covered by > exemptions. This third party is then considered as a second data controller > with all duties attached to that status. As the pretensions of users are based > on law, they apply to first and third party alike unless the third party acts > as a mere data processor. > > Ninja, Rob, feel free to correct if this is wrong. I tried to keep it > comprehensible. Rigo, I have written a proposal for Issue-14 (http://lists.w3.org/Archives/Public/public-tracking/2012Jan/0358.html), which could merge into your suggested text. For the EU, the outsourcing scenario is clearly regulated. In the current EU Directive 95/46/EC, but also in the suggested regulation reforming the data protection regime, an entity using or processing data is subject to data protection law. A First Party (EU: data controller) is an entity or multiple entities (EU: joint data controller) who determines the purposes, conditions and means of the data processing will be the data controller. A service provider (EU: data processor) is an entity with a legal contractual relation to the Data Controller. The Service Provider does determine the purposes, conditions and means of the data processing, but processes data on behalf of the controller. The data processor acts on behalf of the data controller and is a separate legal entity. An entity acting as a first party and contracting services of another party is responsible for the overall processing. A third party is an entity with no contractual relation to the Data Controller and no specific legitimacy or authorization in processing personal data. If the third party has own rights and privileges concerning the processing of the data collected by the first party, it isn't a data processor anymore and thus not covered by exemptions. This third party is then considered as a second data controller with all duties attached to that status. As the pretensions of users are based on law, they apply to first and third party alike unless the third party acts as a mere data processor.
Received on Sunday, 12 February 2012 14:52:02 UTC