white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER 6: ENTITIES TO BE DEFINED IN THE LAW: DATA CONTROLLER AND<br />
PROCESSOR<br />
6.1 Introducti<strong>on</strong><br />
Accountability is a central pr<strong>in</strong>ciple <strong>in</strong> <strong>data</strong> protecti<strong>on</strong>. To translate <strong>data</strong> protecti<strong>on</strong> norms <strong>in</strong>to<br />
acti<strong>on</strong>, a widely used method is to identify the party accountable for compliance with these<br />
norms. For this purpose, the c<strong>on</strong>cept of c<strong>on</strong>trol over <strong>data</strong> is used.<br />
C<strong>on</strong>trol over <strong>data</strong>, <strong>in</strong> such systems, refers to the competence to take decisi<strong>on</strong>s about the<br />
c<strong>on</strong>tents and use of <strong>data</strong>. 258 The entity that has c<strong>on</strong>trol over <strong>data</strong> is resp<strong>on</strong>sible for compliance<br />
with <strong>data</strong> protecti<strong>on</strong> norms and is termed a ―<strong>data</strong> c<strong>on</strong>troller.‖ In additi<strong>on</strong> to the <strong>data</strong> c<strong>on</strong>troller,<br />
other entities which take part <strong>in</strong> the process<strong>in</strong>g of <strong>data</strong> are often identified and def<strong>in</strong>ed. For<br />
<strong>in</strong>stance, a <strong>data</strong> processor is an entity which is closely <strong>in</strong>volved with process<strong>in</strong>g, which<br />
however, acts under the authority of the <strong>data</strong> c<strong>on</strong>troller. 259<br />
Identificati<strong>on</strong> of all entities participat<strong>in</strong>g <strong>in</strong> the entire cycle of <strong>data</strong> process<strong>in</strong>g is not the <strong>on</strong>ly<br />
method of allocat<strong>in</strong>g resp<strong>on</strong>sibility. There are various models which have evolved <strong>in</strong> this<br />
regard <strong>in</strong> other jurisdicti<strong>on</strong>s. Each operates at a different level of specificity <strong>in</strong> identify<strong>in</strong>g the<br />
entities <strong>in</strong>volved <strong>in</strong> process<strong>in</strong>g. These alternatives are c<strong>on</strong>sidered below.<br />
6.2 Issues and Internati<strong>on</strong>al Practices<br />
European Uni<strong>on</strong><br />
The model that is most prescriptive is the EU GDPR which uses the c<strong>on</strong>cepts of <strong>data</strong><br />
c<strong>on</strong>troller, <strong>data</strong> processor and third party to identify various entities <strong>in</strong>volved <strong>in</strong> the<br />
process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong>. 260 A <strong>data</strong> c<strong>on</strong>troller is the entity which determ<strong>in</strong>es the purposes<br />
and means of process<strong>in</strong>g <strong>data</strong>. 261 A processor is an entity which processes <strong>data</strong> <strong>on</strong> behalf of<br />
the c<strong>on</strong>troller. 262 The mean<strong>in</strong>g of ―third party‖ is not immediately apparent from the<br />
def<strong>in</strong>iti<strong>on</strong> which refers to other entities apart from c<strong>on</strong>trollers or processors who under the<br />
authority of c<strong>on</strong>troller or processor are authorised to process <strong>data</strong>. 263 A useful illustrati<strong>on</strong> is of<br />
258 See ‗Def<strong>in</strong>iti<strong>on</strong> of <strong>data</strong> c<strong>on</strong>troller‘ <strong>in</strong> OECD, ‗OECD Guidel<strong>in</strong>es C<strong>on</strong>cern<strong>in</strong>g the Protecti<strong>on</strong> of Privacy and<br />
Transborder Flows of Pers<strong>on</strong>al Data‘ (2013), available at:<br />
http://www.oecd.org/sti/iec<strong>on</strong>omy/oecdguidel<strong>in</strong>es<strong>on</strong>theprotecti<strong>on</strong>ofprivacyandtransborderflowsofpers<strong>on</strong>al<strong>data</strong>.ht<br />
m#part1, (last accessed 31 October 2017).<br />
259 Article 29 Data Protecti<strong>on</strong> Work<strong>in</strong>g Party Op<strong>in</strong>i<strong>on</strong>, ‗Op<strong>in</strong>i<strong>on</strong> 01/2010 <strong>on</strong> the C<strong>on</strong>cepts of ‗C<strong>on</strong>troller‘ and<br />
‗Processor‘‘, European Commissi<strong>on</strong> (16 February 2010), available at:<br />
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf, (last accessed 31 October 2017).<br />
260 A fourth category of recipient is also identified <strong>in</strong> Article 4(9), EU GDPR.<br />
261 Article 4(7), EU GDPR.<br />
262 Article 4(8), EU GDPR.<br />
263 Article 4(9), EU GDPR.<br />
48