Thank you for sharing Erika.

 

Having read the guidance document, it remains clear that the distinction controller / processor is a functional one, which must be based on a factual analysis of the processing activities instead of the contractual qualification and/or incurred liability.

 

The Belgian DPA considers that a processor must operate as a subcontractor for the controller and that he must always operate on the account of the controller and not on his own account.

 

Regarding Joint Controllership Agreements (JCA), the Belgian DPA notes (freely translated):

 

              “Joint controllers will have to determine their respective responsibilities in an agreement, pursuant to article 26 GDPR.”

              and

“The initiative taken when proposing a subcontracting agreement or the contractual imbalance that exists between parties during negotiations, does not preclude the status of controller or processor of the person/entity taking the initiative or having a dominant position in the negotiations. One must always make an analysis on the basis of the prescribed factual criteria in order to legally qualify the role of each actor in the processing activity.”

 

The above is certainly important regarding part 3 of the EPDP Report (Data Processing Terms) and for determining the responsibilities of ICANN and the (non) contracted parties.

 

Hope this is useful.

 

Best,


Flip

 

 

Flip Petillion

fpetillion@petillion.law

+32484652653

www.petillion.law

 

signature_694283322

 

  Attorneys – Advocaten - Avocats

 

 

 

 

From: council <council-bounces@gnso.icann.org> on behalf of Erika Mann <erika@erikamann.com>
Date: Friday, 18 January 2019 at 09:55
To: "council@gnso.icann.org" <council@gnso.icann.org>
Subject: [council] GDPR EPDP

 

All - Maybe helpful for your EPDP discussion’s. Keep in mind this document is released by the Belgian national DPA and not the European cross national board of DPAs. Nonetheless I assume that they will have discussed this with their colleagues but I had no chance (yet) to check this.

Regards,

Erika 

 

Belgium's privacy watchdog publishes guidance on the notions of controller and processor

CMS BelgiumCMS Belgium logo

Belgium January 17 2019

Recently, the Belgian Data Protection Authority (“DPA”) published guidance on controller and processor concepts (see original documents in French and in Dutch), refreshing the distinction between these two concepts and their implications.

In view of recent questions about the qualification and concrete application of the concepts of controller and processor, the DPA has decided to recap the principles and definitions applicable to these concepts.

 

Sent from my iPhone