Expert Advice Community

Guest

Questions for GDPR

  Quote
Guest
Guest user Created:   Oct 28, 2021 Last commented:   Oct 30, 2021

Questions for GDPR

I'm wondering if you could help me out with a couple of questions related to GDPR and controllers? Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?) A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?
0 1

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Oct 30, 2021

"I'm wondering if you could help me out with a couple of questions related to GDPR and controllers?

Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?)


I assume that your system provides a service to your clients and while providing the service processes personal data of employees and visitors (i.e., an access control software installed on premises). If this is the case, you are the data processor because you are providing the means for the data controller (your client) to process personal data of the employees and visitors for its own purposes (in our example, of access control software to guarantee safety).
In fact, Article 28 GDPR states that the data processor is who processes personal data on behalf of the data controller. 

A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?"


If your organization falls in the scope of The Canadian Personal Information Protection and Electronic Documents Act ("the Canadian Act") (and further emendments) you can benefit of the adequacy decision of the European Commission (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002) and you can proceed with data transfer according the Article 45 GDPR without implementing the Standard Contractual Clauses. 
Here you can find the list of countries with adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en 


Here you can find more information about the difference between controller and processor and about the data transfer:
EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
3 steps for data transfers according to GDPR https://advisera.com/eugdpracademy/knowledgebase/3-steps-for-data-transfers-according-to-gdpr/


If you need to understand how to implement EU GDPR compliance, you may consider enrolling in our EU GDPR Foundations Course: https://training.advisera.com/course/eu-gdpr-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 28, 2021

Oct 30, 2021

Suggested Topics

Guest user Created:   Jun 24, 2021 EU GDPR
Replies: 1
0 0

GDPR Compliance questions

Guest user Created:   Apr 29, 2021 EU GDPR
Replies: 1
0 0

Questions regarding GDPR

Guest user Created:   Feb 21, 2021 EU GDPR
Replies: 3
0 0

EU GDPR questions