Data Protection Contract Relationships

References to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer” and “Data Processor” in the Special Conditions of Contract clauses have the meanings set out in, and will be interpreted in accordance with the Applicable Laws. “Applicable Laws” shall mean the relevant data protection and privacy laws, including but not limited to, the General Data Protection Regulation (EU) 2016/679, and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.

1 Determining the Relationship between the Parties

Where Personal Data of Data subjects will be processed within the operations/services that will be offered as part of the contract, the Parties undertake to determine whether by entering into their contract, their relationship shall be deemed as that of a:

i)   Data Controller to Data Controller
ii)  Data Controller to Data Processor
iii)  Joint Data Controllers

1.1 Controller to controller relationship

A data controller exercises control over the processing and carries data protection responsibility for that processing. According to Applicable Laws, “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

Activities such as interpretation, the exercise of professional judgement or significant decision-making in relation to personal data must be carried out by a data controller.

To determine whether the parties are independent data controllers, they need to each identify whether they take their own decisions in relation to the following:

• to collect the personal data in the first place and the legal basis for doing so;
• which items of personal data to collect, i.e. the content of the data;
• the purpose or purposes the data are to be used for;
• which individuals to collect data about;
• whether to disclose the data, and if so, to who;
• whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
• how long to retain the data or whether to make non-routine amendments to the data.

The above is not an exhaustive list but indicates decisions that can only be taken by the data controller as part of its overall control of the data processing operation.

1.2 Controller to processor relationship

According to Applicable Law a “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. 

The definition of ‘processing’ suggests that a data processor’s activities must be limited to the more ‘technical’ aspects of an operation, such as data storage, retrieval or erasure. The provision of a service by a processor to the data controller would involve the data controller transferring to the processor or providing the processor with access to personal data of its data subjects. This can also take the form of outsourcing of services involving personal data disclosures e.g. payroll services, IT administration etc.

Within the terms of the agreement with the data controller, and its contract, a data processor may decide:

• what IT systems or other methods to use to collect personal data;
• how to store the personal data;
• the detail of the security surrounding the personal data;
• the means used to transfer the personal data from one organisation to another;
• the means used to retrieve personal data about certain individuals;
• the method for ensuring a retention schedule is adhered to; and
• the means used to delete or dispose of the data.

The above list is not exhaustive but illustrates the key roles of a processor.

1.3 Joint controller relationship

Two entities can determine jointly the purposes for which and the manner in which the personal data is processed. There may be various situations when data controllers are acting together. 

Some situations are discussed when the actors simultaneously perform business operations on personal data that are complementary in nature to providing services to consumers. This would involve joint participation in a business activity that requires processing the same personal data (not just sharing the same pool of personal data for different and distinct purposes).

The parties should determine if and to what extent relevant decisions are taken together by the parties and how the processes themselves are intertwined.

Two entities can determine jointly the purposes for which and the manner in which the personal data is processed. There may be various situations when data controllers are acting together.

2 Regulating the relationship between the Parties

Once the key roles are determined, the Parties shall regulate their relationship as stipulated in the Specifications/Terms of Reference by signing one of the following agreements:

i)   Data Sharing Agreement in a Data Controller to Data Controller relationship, where applicable;
ii)  Data Processing Agreement in a Data Controller to Data Processor relationship;
iii) Joint Controller Agreement in a Joint Data Controller relationship.

                                                                                                                                                                                                 Last updated 05/02/2019