Policy for Data Controller, Joint Controllers, and Subprocessors

1. Purpose and Scope

This Policy, including the principles and criteria defined herein, applies to the processing of personal data by Subprocessors and AIM LIFE, LDA., hereinafter referred to as AIM Cancer Center, in the roles of: Data Controller; Subprocessor; and Joint Controller.

2. Definitions

Measures – should be interpreted broadly as any method or means that a Data Controller can use in processing data.

Data Controller: A natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. The Data Controller makes decisions about data processing activities, exercising full control over the data being processed.

Joint Controller: When two or more controllers jointly determine the purposes and means of processing, they are joint controllers. Joint Controllers share the same purposes. They are not joint controllers if they process the same data for divergent purposes.

Subprocessors: Entities that process personal data on behalf or for the Data Controller. In this context, they serve the interests of the Data Controller, not their own. A Subprocessor may only process personal data in accordance with the Data Controller’s instructions, unless required by law. A Subprocessor can be either a company or an individual.

Sub-subprocessor: A Subprocessor may wish to subcontract all or part of the data processing to another Subprocessor. In this case, this third party is the sub-subprocessor.

Data Subjects: All individuals whose personal data is processed (collected, used, stored, retained, shared, etc.), specifically – employees, citizens (individuals or entities), and suppliers.

3. Description

In terms of data processing, it is important to assess the role of AIM Cancer Center. It may assume the role of: Data Controller; Subprocessor; and Joint Controller.

In situations where AIM Cancer Center assumes the role of Data Controller, it may share data with entities in a joint responsibility relationship (Joint Controllers) or in a subcontracting relationship.

To maintain information on situations where it acts as Subprocessor and in cases of establishing relationships as Joint Controller with Subprocessors, AIM Cancer Center ensures the completion of GDPR Record Control.

3.1 AIM Cancer Center as Data Controller

If AIM Cancer Center makes the decisions regarding personal data processing, it must be considered the Data Controller in the following cases:

  • Collecting the personal data initially;
  • The legal basis for the collection and processing;
  • The types of personal data being collected;
  • The purpose or purposes for which the data is processed;
  • The data subjects from whom data will be collected;
  • If data is disclosed to third parties, and if so, to whom;
  • What information must be provided to data subjects regarding the processing;
  • How to respond to requests to exercise the rights of data subjects;
  • For how long the data should be retained.

AIM Cancer Center is responsible for ensuring that the processing of data it carries out complies with the GDPR. Responsibilities according to the GDPR include:

  • Compliance with principles regarding data processing;
  • Exercise of data subject rights;
  • Implementation of technical and organizational measures ensuring the security of personal data;
  • Data breach notification process;
  • Recording processing activities;
  • Data protection impact assessment, where applicable;
  • Informing the DPO;
  • Transfers of personal data to third countries;
  • Cooperation with supervisory authorities and assisting them in performing their tasks.

All personal data stored and processed by AIM Cancer Center:

  • Is processed lawfully, fairly, and transparently;
  • Is collected for specified, legitimate, and clear purposes and may not be further processed in a manner incompatible with those purposes;
  • Is accurate and up to date;
  • Is kept only for as long as necessary for the purposes for which it was collected.

3.1.1 Technical and Organizational Measures

AIM Cancer Center has adequate technical and organizational measures to comply with the requirements of the GDPR, specifically measures to:

  • Avoid accidental data loss;
  • Prevent unauthorized access to the data;
  • Prevent data alteration and disclosure;
  • Limit access to data to employees and service providers whose roles require access. Processing by these individuals is done under the terms set by AIM Cancer Center and subject to confidentiality obligations;
  • Address any suspicion of a security breach.

3.1.2 Relationship of AIM Cancer Center with Subprocessors and Joint Controllers

In relationships with Subprocessors and Joint Controllers, AIM Cancer Center collects, stores, and processes the following data:

  • Personal information such as name, address, mobile phone, email;
  • Identification documents;
  • Tax information for invoicing.

Data is collected through paper, email, or computer applications.

Typically, AIM Cancer Center uses data from its Subprocessors and Joint Controllers under the following circumstances:

  • To fulfill the contract/agreements between the parties;
  • For pre-contractual procedures;
  • To comply with a legal obligation;
  • When necessary for legitimate interests (or third parties) and the rights and freedoms of the data subject do not override them;
  • To create contact in AIM Cancer Center’s database;
  • To control access to AIM Cancer Center’s facilities;
  • To issue an invoice for a service;
  • To notify in case of any data breach;
  • For other purposes, as long as the purpose still fits within the scope of the initial processing and necessary security conditions are ensured.

Subprocessors and Joint Controllers can exercise their rights as stated in AIM Cancer Center’s Personal Data Protection Policy.

3.1.3 AIM Cancer Center as Subprocessor

AIM Cancer Center may assume the role of Subprocessor in personal data processing. However, it cannot be both Data Controller and Subprocessor in the same processing activity. It is possible to be both a Data Controller and a Subprocessor for the same personal data as long as they are processed for different purposes.

Information regarding Subprocessors can be found in section 3.3.

3.2 AIM Cancer Center as Joint Controller

In situations where AIM Cancer Center shares data with entities in a joint responsibility relationship (Joint Controllers), AIM Cancer Center, together with the entity, must decide who is responsible for each obligation. To this end, AIM Cancer Center must sign a Data Protection Agreement between Joint Controllers, between AIM Cancer Center and the entity(ies). A single agreement may be created for multiple entities when they process data corresponding to the same data subjects.

AIM Cancer Center must inform data subjects about the data sharing with Joint Controllers.

AIM Cancer Center is responsible for ensuring that joint data processing complies with the GDPR, specifically:

  • Compliance with data processing principles;
  • Exercise of data subject rights;
  • Implementation of technical and organizational measures ensuring the security of personal data;
  • Data protection impact assessment, where applicable;
  • Data breach notification process;
  • Informing the DPO;
  • Transfers of personal data to third countries;
  • Both joint controllers are responsible to the supervisory authority if they fail to meet their obligations under the GDPR.

3.3 Subprocessor

AIM Cancer Center must choose a Subprocessor that offers sufficient guarantees of implementing technical and organizational measures to ensure that the processing meets the requirements of the GDPR.

When preparing a Data Processing Agreement with Subprocessors, AIM Cancer Center must include the provisions of Article 28(3) of the GDPR.

Under the subcontracting agreement between AIM Cancer Center and Subprocessor, it may be specified that the Subprocessor may decide:

  • What IT systems and technology or other methods will be used to collect the data;
  • How the data will be stored;
  • The details of the security measures implemented to protect the data;
  • How the data will be transferred from one organization to another;
  • How to adhere to a retention policy and schedule;
  • How to delete the data;
  • How to use technical knowledge to decide how to carry out certain activities on behalf of the Controller.

The Subprocessor is responsible for ensuring:

  • Compliance with data processing principles;
  • Exercise of data subject rights;
  • Implementation of technical and organizational measures ensuring the security of personal data;
  • Data breach notification process;
  • Recording processing activities, where applicable;
  • Data protection impact assessment, where applicable;
  • Informing the DPO;
  • Transfers of personal data to third countries;
  • Cooperation with supervisory authorities and assisting them in performing their functions.

The Subprocessor may not:

  • Make broader decisions such as deciding what types of data are collected or the purposes for which data will be used;
  • Use AIM Cancer Center’s employee data for their own purposes, they may only process the data as expressly identified by AIM Cancer Center and under the terms set by it;
  • Be both a Data Controller and Subprocessor for the same processing activity. However, it is possible to be both Data Controller and Subprocessor for the same personal data as long as they are processed for different purposes.

A Subprocessor that processes data beyond AIM Cancer Center’s instructions will become responsible for that data processing.

AIM Cancer Center has the right to take necessary steps to verify that the Subprocessor has the capacity to fulfill its obligations and implements the required measures to ensure compliance with the terms of the contract/agreement.

3.3.1 Sub-subprocessor

The Subprocessor may not engage another Subprocessor (a sub-subprocessor) for specific data processing operations on behalf of AIM Cancer Center without prior written authorization. Upon authorization, the Subprocessor must enter into an agreement with the sub-subprocessor that imposes the same data protection obligations as those set out in the agreement between the Subprocessor and AIM Cancer Center.

Sub-subcontracting does not alter the status of the Subprocessor, meaning they remain the Subprocessor, as the effective control over the processing still lies with AIM Cancer Center.

However, the Subprocessor will be held accountable to AIM Cancer Center for the legal compliance of the Sub-subprocessor. This means that if the failure is due to an action by the sub-subprocessor, the Subprocessor will indemnify AIM Cancer Center for any losses arising from the relationship established.

Still have questions?

Message us so we can help!

WhatsApp