Information Technology Reference
In-Depth Information
addresses, e-mail addresses of clients, customers (as far as they are physical persons
and not companies
23
), employees etc are deemed to be personal data and should be
adequately protected. Conversely, all other sorts of data, like company's informa-
tion, industrial data to be processed in a simulation, etc are not personal data.
To illustrate which privacy measures should be adopted by the parties we can
imagine that
SaaSforyou
offers to his clients solutions in the field of employees'
management based on the SaaS paradigm. The customers/end users send data
regarding their employees to
SaaSforyou
who process them and deliver back the
payrolls and/or calculation of contributions to pay. All this data is processed in the
Grid or Cloud of
SuperICTResources
, with which
SaaSforyou
has an agreement as
specified in the previous paragraphs. What do the parties have to take into account
in order to avoid any breach of legal provisions?
In our case, and the same may apply in similar situations, the companies,
customers of the SaaS provider are the data controllers as they determine the
purposes and means of the processing of personal data;
SaaSforyou
is the data proc-
essor, who processes data on behalf of the controller, following the instructions
contractually given by the above customers;
SuperICTResources
, subcontractor of
SaaSforyou
, is also a data processor
24
. The reader should be aware that the distinc-
tion between data processor and controller should be assessed on a case-by-case
basis and it depends on the level of decision making power of the parties involved.
According to the concrete modalities of providing the services and to the opinions
expressed by the national data protection authorities concerned,
SaaSforyou
and/
or
SuperICTResources
may be deemed to be data controllers, and therefore more
stringent requisites will apply (it is therefore highly advisable that the parties verify
first the provisions stated in the applicable national legislation and the positions of
the competent national data protection authority)
25
.
From a practical perspective, then, it is pivotal to state that
SaaSforyou
and its
clients shall enter into a contract regulating privacy aspects (to be notified by the
23
The reader shall be aware that as soon as a company/person has or manages data of contact
persons within a company, then data protection legislation becomes applicable.
24
See Art. 2(d) and (e) of the Data Protection Directive.
25
Therefore, the controller is the person who bears the responsibility to implement the data
protection principles and to comply with the obligations they set forth. It is thus important
to define clearly who is considered as controller of the data processing. The concept is not
always clear and should be distinguished from the processor. Both concepts have been
introduced by the 95/46/EC Directive. The controller is the natural or legal person, public
authority, agency or any other body which alone or jointly with others determines the
purposes and means of the processing of personal data. The processor is the natural or legal
person, public authority, agency or any other body which processes personal data on behalf
of the controller. Processors are usually sub-contractors who perform specific tasks on basis
of the instructions given by the controller. They are compelled to follow the instruction
provided and to ensure the security of the personal data they processed. The actual ability
to decide upon the purpose and means of the processing will be the core criteria to
distinguish controllers from processors. This analysis should be carried out on a case-by-
case basis.
