Q&As

Where a prime contractor contracts with a customer (acting as controller) to provide services involving processing of personal data, but the personal data will not be shared with the prime contractor, is the customer obliged by Article 28 of Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), to enter into a direct agreement containing the mandatory processor clauses under Article 28 of Regulation (EU) 2016/679, GDPR, with the sub-contractor rather than the prime contractor?

read titleRead full title
Produced in partnership with Shobana Iyer of Swan Chambers
Published on LexisPSL on 21/05/2018

The following Information Law Q&A produced in partnership with Shobana Iyer of Swan Chambers provides comprehensive and up to date legal information covering:

  • Where a prime contractor contracts with a customer (acting as controller) to provide services involving processing of personal data, but the personal data will not be shared with the prime contractor, is the customer obliged by Article 28 of Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), to enter into a direct agreement containing the mandatory processor clauses under Article 28 of Regulation (EU) 2016/679, GDPR, with the sub-contractor rather than the prime contractor?
  • Definition of processing
  • Definition of controller
  • Definition of processor
  • Article 28
  • Roles of the parties

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), will replace Directive 95/46/EC, the Data Protection Directive and all implementing data protection legislation in EU Member States, including the UK's Data Protection Act 1998 (DPA 1998) from 25 May 2018. The GDPR will be directly applicable in all EU Member States without the need for implementing national legislation. The Data Protection Bill (DPB 2017) once finalised may make further alternations to the requirement for UK entities. See Practice Note: The Data Protection Act 2018.

Definition of processing

The term ‘processing’ is very broad. Under Article 4(2) of the GDPR, ‘processing’ means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Definition of controller

Article 4(7) of the GDPR defines a ‘controller’ as meaning (emphasis added):

‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’

This definition

Related documents:

Popular documents