Re: [ACTION-48] Re-phrase 3.6.1.2.1

On 3-2-2012 21:26, Rigo Wenning wrote:
> Here is my suggested text:
> For the EU, the outsourcing scenario is clearly regulated. In the current EU
> Directive 95/46/EC, but also in the suggested regulation reforming the data
> protection regime, an entity using or processing data is subject to data
> protection law. An entity acting as a first party and contracting services of
> another party is responsible for the overall processing. If the third party
> has own rights and privileges concerning the processing of the data collected
> by the first party, it isn't a data processor anymore and thus not covered by
> exemptions. This third party is then considered as a second data controller
> with all duties attached to that status. As the pretensions of users are based
> on law, they apply to first and third party alike unless the third party acts
> as a mere data processor.
>
> Ninja, Rob, feel free to correct if this is wrong. I tried to keep it
> comprehensible.
Rigo, I have written a proposal for Issue-14 
(http://lists.w3.org/Archives/Public/public-tracking/2012Jan/0358.html), 
which could merge into your suggested text.

For the EU, the outsourcing scenario is clearly regulated. In the 
current EU
Directive 95/46/EC, but also in the suggested regulation reforming the data
protection regime, an entity using or processing data is subject to data
protection law. A First Party (EU: data controller) is an entity or 
multiple entities
(EU: joint data controller) who determines the purposes, conditions and 
means of the
data processing will be the data controller. A service provider (EU: 
data processor)
is an entity with a legal contractual relation to the Data Controller. 
The Service
Provider does determine the purposes, conditions and means of the data 
processing,
but processes data on behalf of the controller. The data processor acts 
on behalf
of the data controller and is a separate legal entity. An entity acting 
as a first
party and contracting services of another party is responsible for the 
overall processing.
A third party is an entity with no contractual relation to the Data 
Controller
and no specific legitimacy or authorization in processing personal data. 
If the third party
has own rights and privileges concerning the processing of the data 
collected
by the first party, it isn't a data processor anymore and thus not 
covered by
exemptions. This third party is then considered as a second data controller
with all duties attached to that status. As the pretensions of users are 
based
on law, they apply to first and third party alike unless the third party 
acts
as a mere data processor.

Received on Sunday, 12 February 2012 14:52:02 UTC