1. A software development company has developed a software solution where personal data is collected and processed in the cloud - during a pilot period a telecom company is offering this solution to their end clients, however the Terms & Conditions of the software development company are displayed in the application. The question is - what are the telecom company and software development company - controllers, joint-controllers, or something else?
2. Same relationship between software development company and a telecom company like in the first question, only this is not a pilot period any more, and Terms & Conditions are displayed from the telecom company (i.e. the software development company is not visible any more to the end clients) - again the same question - who has which role?
3. If a software solution includes monitoring of movement of elderly persons in their homes for the purpose of medical care, would this require consent from the monitored (elderly) persons since they would not operate the software? The software would be operated by medical professionals. What would be the most practical solution for the consent in this situation?
Assign topic to the user
1. A software development company has developed a software solution where personal data is collected and processed in the cloud - during a pilot period a telecom company is offering this solution to their end clients, however the Terms & Conditions of the software development company are displayed in the application. The question is - what are the telecom company and software development company - controllers, joint-controllers, or something else?
It depends on who has the control over personal data collected, if both companies have access to data they can be defined as joint controllers, while if the development company has access to data collected through the app it should be considered as a processor. The telecom company will always be a controller because the app is provided to its end clients, so it can decide the means and purposes of data processing (even providing an app to its clients is a choice on data processing). So you need to determine how independent is the development company from the telecom company in collecting and processing data from users. If they cooperate on the same level, defining together how to process data, they will be a joint controller. On the contrary, if the telecom company requested an app with some characteristics and a certain kind of data processing and access to data, the development company is processing data on behalf of the telecom company and acting as a data processor.
2. Same relationship between software development company and a telecom company like in the first question, only this is not a pilot period any more, and Terms & Conditions are displayed from the telecom company (i.e. the software development company is not visible any more to the end clients) - again the same question - who has which role?
The answer is the same as above. It does not depend on Terms and Condition but on who decide how to process data, who has access to data, who manages data. In any case, the telecom company will be the controller, the software development company will be a joint controller or processor depending on the level of independence in determining how to process personal data.
3. If a software solution includes monitoring of movement of elderly persons in their homes for the purpose of medical care, would this require consent from the monitored (elderly) persons since they would not operate the software? The software would be operated by medical professionals. What would be the most practical solution for the consent in this situation?"
Yes. It requires consent from elderly persons. It should be indicated in the consent that the patient provides to the medical professionals for therapy or diagnostic purposes on the medical treatment through that software which may monitor its behavior. From an accountability point of view, the software should ask consent to any patient, and of course, it will be the medical professional that materially “clicks” on the “I agree” button once acquired the consent to the medical treatment from the patient.
Here you can find more information on the role of processor and controller
- EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
If you want to learn how to process data under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//
Thank you for your responses.
I would like however to question the response on Consent of the Elder.
This solution is built for the sole purpose of monitoring the Elder in conjunction with the caregiver. It is their data for them to use and interpret how they wish. We are simply presenting the data for the Caregiver and Elder to use. They pay us for this service. i.e. we have a contractual obligation to collect this data for them to consume.
Therefore can we not just state in the Terms of the application that it is the responsibility of the registered user to ensure they have full consent from the Elder being monitored, and avoid a consent process ?
The software company acts as a processor while the caregiver is the data controller. In that case, your privacy notice will state that the controller is the caregiver since it is the person that has control over data processing. You will also need a data protection agreement with caregivers annexed to your commercial licensing/software agreement.
Comment as guest or Sign in
Feb 22, 2021