28 April 2018
Does a data processor require a legal basis (beyond the contract it has with the data controller) in order to processes data provided by the data controller?
The processor has to consider the reasonable expectation of the data subject and ensure a legitimate interest is pursued.
A contractual basis will only work if there is a contract with the data subject, therefore there would need to be legitimate interest. However, the purpose of the processing should be limited solely to the process categories intended by the contract with the controller. It should also be remembered that Data Subjects may wish to exercise their rights under Articles 15-22, and these may supersede the legitimate interest grounds.
While processing data on behalf of the controller - within the limits of the controller contract – does not pose any legal compliance issues for the processor (except for the organisational, legal and technical obligations), should the processor decide to process the data beyond the scope of controller's written instructions, it becomes a controller.
The Article 29 Working Party has published guidance on this. Where there is no Consent for marketing, and there is no other legal basis for processing personal data, the correct course is to delete it. You absolutely cannot retain it and send a reminder on a periodic basis. Those reminders would be considered marketing material. Already we have seen entities fall foul of this.
Ultimately, the controller must ensure the processor processes data in a compliant way.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
