from PART II - STATE OF THE ART
Published online by Cambridge University Press: 26 June 2019
271. ALLOCATION OF RESPONSIBILITY AND LIABILITY – Within the regulatory scheme of EU data protection law, the controller carries the primary responsibility for ensuring compliance. At the moment of its enactment, the EU legislature was mindful of the practice whereby one organisation requests another organisation to perform certain processing operations on its behalf. By introducing the concept of a “processor”, the EU legislature hoped to be able address this situation and to ensure a continuous level of protection.
272. RELATIONSHIP CONTROLLER-PROCESSOR – The Article 29 Working Party has approximated the relationship between controllers and processors with the figure of delegation. The analogy appears to be founded on a number of considerations. In first instance, a processor acts “on behalf” of a controller and is called upon to abide by the instructions given by the controller. Secondly, the consequences of the processor's actions are in principle attributed to the controller, provided that the processor merely follows the latter's instructions. Finally, the delegation figure also permits the delegate (processor) to exercise a certain amount of discretion on how to best serve the principal's (controller's) interests.
273. MULITPLICITY OF CONTROL – Not every collaboration involving the processing of personal data among two separate actors implies the existence of a controller-processor relationship. It is equally possible that each actor processes personal data for their own distinct purposes, in which case each actor is likely to be considered a controller independently of the other. It is also possible that collaborating actors jointly exercise decision-making power concerning the purposes and means of the processing, in which case they are considered to act as joint or (co) controllers.
274. VARYING DEGREES OF CONTRACTUAL FLEXIBILITY – The GDPR has devoted several provisions to the relationship between controllers and processors. Article 28(3) specifies that the relationship between controller and processor shall be governed by a contract or other legal act, which must contain, at a minimum, all the elements mentioned in this provision. As far as joint controllers are concerned, Article 26(1) GDPR stipulates that they shall in principle determine their respective responsibilities for compliance, in particular as regards the exercise of data subject rights and their respective duties to provide the information, by means of an arrangement between them. The contrast, in terms of detail, between Article 28(3) and Article 26(1) of the GDPR is striking.
To save this book to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.
Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
Find out more about the Kindle Personal Document Service.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.