[council] GDPR EPDP

Flip Petillion fpetillion at petillion.law
Fri Jan 18 11:05:19 UTC 2019 

Thank you for sharing Erika.

Having read the guidance document, it remains clear that the distinction controller / processor is a functional one, which must be based on a factual analysis of the processing activities instead of the contractual qualification and/or incurred liability.

The Belgian DPA considers that a processor must operate as a subcontractor for the controller and that he must always operate on the account of the controller and not on his own account.

Regarding Joint Controllership Agreements (JCA), the Belgian DPA notes (freely translated):

              “Joint controllers will have to determine their respective responsibilities in an agreement, pursuant to article 26 GDPR.”
              and
“The initiative taken when proposing a subcontracting agreement or the contractual imbalance that exists between parties during negotiations, does not preclude the status of controller or processor of the person/entity taking the initiative or having a dominant position in the negotiations. One must always make an analysis on the basis of the prescribed factual criteria in order to legally qualify the role of each actor in the processing activity.”

The above is certainly important regarding part 3 of the EPDP Report (Data Processing Terms) and for determining the responsibilities of ICANN and the (non) contracted parties.

Hope this is useful.

Best,

Flip


Flip Petillion
fpetillion at petillion.law
+32484652653
www.petillion.law

[signature_694283322]<http://www.petillion.law/>

  Attorneys – Advocaten - Avocats




From: council <council-bounces at gnso.icann.org> on behalf of Erika Mann <erika at erikamann.com>
Date: Friday, 18 January 2019 at 09:55
To: "council at gnso.icann.org" <council at gnso.icann.org>
Subject: [council] GDPR EPDP

All - Maybe helpful for your EPDP discussion’s. Keep in mind this document is released by the Belgian national DPA and not the European cross national board of DPAs. Nonetheless I assume that they will have discussed this with their colleagues but I had no chance (yet) to check this.
Regards,
Erika

Belgium's privacy watchdog publishes guidance on the notions of controller and processor<https://www.lexology.com/r.ashx?i=6685664&l=88SJB9G>
CMS Belgium[CMS Belgium logo]<http://www.cms-db.com/>
Belgium<https://www.lexology.com/hub/belgium> January 17 2019

Recently, the Belgian Data Protection Authority (“DPA<https://www.dataprotectionauthority.be/>”) published guidance on controller and processor concepts (see original documents in French<https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Notions_RT_ST.pdf> and in Dutch<https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Begrippen_VW_OA.pdf>), refreshing the distinction between these two concepts and their implications.

In view of recent questions about the qualification and concrete application of the concepts of controller and processor, the DPA has decided to recap the principles and definitions applicable to these concepts.

Sent from my iPhone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20190118/e1fd92d7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7393 bytes
Desc: image001.png
URL: <http://mm.icann.org/pipermail/council/attachments/20190118/e1fd92d7/image001-0001.png>

More information about the council mailing list