CNIL Issues Record-Keeping Guidance
Posted on September 30, 2019
Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested.
PUTTING IT INTO PRACTICE: The recent CNIL guidance provides helpful insight on how to maintain records in accordance with GDPR requirements. Other resources include information from the UK ICO.
Processor or Controller? It Really Depends
Posted on August 19, 2019
The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor.
The opinion determined that the Commission processes personal data in two situations. First, to set up access rights for individuals granted access to the System. Second, when transferring patient data from one member state to another through the System. In making their determination, the EDPB and the EDPS relied on the Article 29 Working Party’s Opinion on the test to be a controller or processor. Namely, “while determining the purpose of the process would in any case trigger the qualification as a controller, determining the means would imply control only when the determination concerns the essential elements of the means. In this perspective, it is well possible that the technical and organizational means are determined exclusively by the processor.” With this guidance in mind, the opinion focused on the fact that the Network: 1) made the decision to use eHDSI; and 2) determined the purpose of the personal data processing in eHDSI, i.e. “ensuring continuity of cross-border health care. By selecting eHDSI as the system, the Network chose the essential means of the processing. This was true even though the Commission created and maintained eHDSI and ultimately had exclusive control over eHDSI’s technical and organizational means. The opinion conceded that, as the supplier of the System, the Commission had a “certain degree of involvement” in defining the System’s security and communication standards, i.e. the means of processing. Nonetheless, when the Network used it decision-making power to decide which system to use, it chose the essential means of processing. Consequently, the opinion concluded that the Commission was acting as processor.
PUTTING IT INTO PRACTICE: For entities trying to decide whether or not they are a “controller,” this recent opinion illustrates that controlling an environment where personal data is processed does not in itself make the entity a data controller. Instead, at least according to this opinion, the focus should be on which entity gets to choose the environment in which the processing occurs.
   37 Eye on Privacy 2019 Year in Review