{"id":17936,"date":"2022-04-15T09:00:00","date_gmt":"2022-04-15T08:00:00","guid":{"rendered":"https:\/\/www.rosello-mallol.com\/?p=17936"},"modified":"2022-04-08T11:32:53","modified_gmt":"2022-04-08T10:32:53","slug":"differences-data-transfer-commissioning","status":"publish","type":"post","link":"https:\/\/www.rosello-mallol.com\/en\/differences-data-transfer-commissioning\/","title":{"rendered":"Differences between data transfer and commissioning"},"content":{"rendered":"\n
In every-day office work, we quite often detect some confusion between data transfer and commissioning<\/strong> of the data, that is, access to data by a third party to provide a service.<\/p>\n\n\n\n Formally, it may seem that there are no difference because, at the end of the day, the personal data that a company or entity \u201cA\u201d has ends up in the hands of a company or entity \u201cB\u201d. However, we will see how the differences are extremely important in terms of their processing under the GDPR:<\/p>\n\n\n\n The transfer of data between two companies or entities is another form of personal data processing<\/strong>. From reading the GDPR, it can be concluded that the possible types of data processing include “communication by transmission”, “dissemination” or “interconnection” of data.<\/p>\n\n\n\n This leads to the case, therefore, in which the company or entity \u201cA\u201d has collected a series of personal data and shares it with a company or entity \u201cB\u201d, with a different legal status.<\/p>\n\n\n\n There are essentially three <\/strong>consequences of the transfer of data:<\/p>\n\n\n\n As data controller, each of the companies or entities involved in this processing is responsible for its obligations and must apply the criteria that the AEPD<\/a><\/strong> has established in its extensive doctrine.<\/p>\n\n\n\n In each case, what the transfer of personal data allows must be analysed and the corresponding solution applied in each case. If the answer is consent, let us remember that it must always be expressed<\/strong>.<\/p>\n\n\n\n This is a very different case with a completely different solution. It occurs when a company or entity “uses” other companies or entities<\/strong> so that they process data in their name and on their behalf.<\/p>\n\n\n\n We are effectively talking about cases in which a specific service is contracted<\/strong>, and the provision of that service means that a third party has access to the personal data<\/strong> that the \u201cclient\u201d company has independently collected.<\/p>\n\n\n\n This type of assumption is increasing in companies of all sizes: data hosted in the cloud, CRM, ERP, computer maintenance services, email transmission platforms, etc.<\/p>\n\n\n\n The solution in this case, as we have said, is completely opposite to that of the transfer of data, as the key here is to comply with the GDPR, essentially one<\/strong>:<\/p>\n\n\n\n The relationship between both companies or entities<\/strong> must be established in a contract<\/span><\/strong> where the assignment is very clearly established, where the data will only be used by the provider for that purpose, the security measures that will be applied, and what will happen to the data when the service ends.<\/p>\n\n\n\n Unilateral clauses<\/span><\/p>\n\n\n\n Sometimes, the supplier is not a company that negotiates contracts or agrees to sign the contract provided by the client. Even so, the obligation of the latter, as the data controller, is to ensure that the conditions of the service, even if they are not negotiated, comply with the GDPR.<\/p>\n\n\n\n Subcontracting<\/span><\/p>\n\n\n\n Subcontracting services deserve a separate mention, in which the contracted provider initially subcontracts part or all of the service entrusted and, with it, access to the data to a third party.<\/p>\n\n\n\n The GDPR is clear in the sense that the client (controller<\/span>) must authorise these subcontracts. It goes without saying that, in the case of unilateral clauses, this control is very complicated, and, once again, does not exempt the obligation of the controller from knowing all the companies that participate in the data processing.<\/p>\n\n\n\n Therefore, knowing the difference between the transfer of data and commissioning in data processing is essential for correct application of the GDPR<\/strong>. The legal solutions and consequences are, as we have seen, radically different.<\/p>\n\n\n\n If you have any question about this issue or any other issue, don’t hesitate to contact us<\/a><\/strong>!<\/p>\n\n\n\n <\/p> Data transfer: what is it and how is it regulated?<\/strong><\/h2>\n\n\n\n
Data transfer and commissioning: Commissioning or treatment by third parties<\/strong><\/h2>\n\n\n\n
<\/ul><\/div>\n