The Regulation reinforces the responsibilities of Data Controller and requires evidence that the treatment carried out complies, from the early stages, with all the provisions of the Regulation. The Data Controller is also required to keep documentation of the treatments carried out under its responsibility, mandatorily indicating, for each of them, the information that ensure and prove – for each transaction – the compliance with the provisions of Regulation.
Data Processor is connected to the Data Controller, since it is a public or private entity (natural or legal person) who processes personal data in accordance with the instructions of the Data Controller (who may therefore decide to treat the data within their organization or to delegate all or part of the processing activities to an external organization).
The text states that the relationship between the two parties must be regulated in writing (by contract or other legal deed), at least with regard to the purpose of the treatment and the fundamental aspects of the means (the Data Processor serves the interests of the Data Controller with a certain level of discretion on the methods, being able to choose the most suitable technical and organizational tools). This obligation points to several considerations on the possible difficulties that may arise in the implementation of the legislative requirements such as:
- to be able to prove that the Processor meets the requirements of the draft for Regulation (“The controller choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation”);
- to regulate in writing all the obligations of the Data Processor;
- to manage, by the Data Processors which offer outsourcing services on behalf of several Data Controllers, the variety of the fulfilments that may be contained in any appointment;
- to regulate the cases in which the Data Processors outsources to other suppliers the individual services involving the transfer or processing of personal data (eg. Complex chains of responsibility in Cloud Computing);
- to include in the contract provisions ensuring an effective power of control of the Data Controllers on the Data Processors.
The Regulation also provides for an independent liability of the Data Processor that disregards the instructions received from the Data Controller or breaches applicable law: the Processor, in such cases, will be personally liable of the infringements committed (as Controller or Joint Controller).
In the presence of two or more Data Controllers (Joint Ccontrollers) for the same treatment of personal data, the draft of Regulation provides that the perimeter of the respective privacy liability is contractually agreed. In case of uncertainties over liability, the Joint Controllers will be jointly and severally liable.
Some of the provisions of the last version of the Regulation seem to introduce something very similaro to the old and well known DPS. Isn’t it ?