who processes personal data on behalf of the controller. The distinction between controller and processor becomes important as it determines who is responsible for compliance with the relevant data protection laws and the enforcement authorities. Data processing was broadly defined in the EU Data Directive and included any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Notification to the Data Protection Authority in Advance. Businesses setting up an office or operation in Europe were required to notify the relevant Data Protection Authorities (DPAs) that the business intended on processing personal information as a data controller within the relevant jurisdiction. This could be as simple as processing personal data of just a few employees to pay their salaries or the processing of significant amounts of customer data maintained in databases in multiple locations. A unique and key part of the EU Data Directive was the requirement for notification to the appropriate DPA by the data controller before processing may commence. The purpose of such notification was to allow the DPA to assess the risk posed to the rights and freedoms of the data subjects by the proposed processing, and to post such information in a national register accessible to all. This notification requirement was the part of the EU Data Directive with which a Minnesota business was likely to have the most contact. Data processing by the Minnesota business was not supposed to start until this notification was complete. Data Protection Authorities differ however in when this notice is deemed effective. In some cases, notice would be considered complete when the fee was paid or it may not be effective until a receipt and notice was actually received from the DPA. Failure to notify a DPA prior to commencing the data processing activities, in some cases, constituted a criminal offense.
138
Made with FlippingBook - Online Brochure Maker