The new EU Regulation provides for the existence of different roles involved in the processing of personal data :
\n\u2022 Data Controller
\n\u2022 Controller ‘s representative
\n\u2022 Data Processor
\n\u2022 Joint Controller
\nreflecting , in principle , similar figures in the current legislation .<\/p>\n
As already noted in the post of Andrea Reghelin<\/a> one of most important innovations in the new EU regulation is a greater responsibility for the other roles apart from the data controller, as they also are called to respond civilly and criminally jointly with them.<\/p>\n The definition of these figures and their respective duties , both in the legislation in force and in the new regulations being defined , often lead to think that such roles are absolute : a subject is a data controller or a data processor (to quote the figures most common ).<\/p>\n In reality this is not true, since the allocation of these roles is linked to a single specific activity or to a set of activities. So the same person can occupy different roles at the same time for different activities or even for the same activity according to the role as a data controller or data processor . Similarly , and even more complex would be the situation of companies who’s mission is offering outsourcing services to third parties ; almost certainly those companies will be designated as data processors by the many individual customers . The data processor is defined, in theory , as a mere executor of tasks according to instructions and rules dictated by the data controller . The legislation in force and being finalized, says and defines nothing about this mixture of roles or the other above concerns , leaving individuals the problem of self-regulation between the parties.<\/p>\n However the heightened responsibility of all the other roles apart from the data controller under the new EU Regulation , making less viable the current practices :<\/p>\n The governing of relations between the parties will therefore most probably become object of much more complex negotiations than are currently.<\/p>","protected":false},"excerpt":{"rendered":" The new EU Regulation provides for the existence of different roles involved in the processing of personal data : \u2022 Data Controller \u2022 Controller ‘s representative \u2022 Data Processor \u2022 Joint Controller reflecting , in principle , similar figures in the current legislation . As already noted in the post of Andrea Reghelin one of\u2026 Leggi tutto »<\/a><\/span><\/p>\n","protected":false},"author":42,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[12,14,32],"class_list":["post-482","post","type-post","status-publish","format-standard","hentry","category-roles-and-liabilities","tag-general-data-protection-regulation","tag-organization","tag-roles"],"_links":{"self":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/comments?post=482"}],"version-history":[{"count":3,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/482\/revisions"}],"predecessor-version":[{"id":767,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/482\/revisions\/767"}],"wp:attachment":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/media?parent=482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/categories?post=482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/tags?post=482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nFor example, any company, regarding the processing of data of its employees, is a data controller.
\nIt could, however, at the same time carry out a number of services on behalf of third parties as a data processor.<\/p>\n
\nA large bank could simultaneously take all 4 roles required by law.
\nFor example , the parent company, will assume the role of data controller for most of the activities, but it could be designated as a data processor for those activities , such as personnel management , which it carries out on behalf of other companies and banks in the Group .
\nSimilarly it could play the role of joint controller together with other partners in conducting joint activities.
\nFinally , for the subsidiary banks present in non-EU countries , it could play the role of Controller ‘s representative .
\nWithin the Banking Group , the parent company may in turn designate which data processor operating companies of the group , such as those devoted to the management of information systems or the management of property, creating a web of designations for different activities .<\/p>\n
\nWhat is the problem that arises in this case ?
\nA data controller is different from a data processor as it is the first that decides the purpose and methods of data processing<\/p>\n
\nBut what happens when the same operating company , acting as data processor on behalf of several data controllers, has received different instructions from these, perhaps even in conflict between one another ?
\nThe situation could get complicated if the data processor makes use mandatory , for the provision of its services , subcontractors , which may be provided for under agreements with some data controller , but not n the other agreements .<\/p>\n\n