The Obligations of the Personal Data Processor in the European Union and the Feasibility of Its Acceptance in Iranian Law

Document Type : Original Article

Authors

1 PhD student in Private Law

2 Associate professor at Ferdowsi University of Mashhad)

3 Associate professor at Ferdowsi University of Mashhad

4 Assistant professor at Ferdowsi University of Mashhad

Abstract

All EU member states are required to have maximum protection over personal data by ratifying the EU General Data Protection Regulation (GDPR). Data processors in order to fully realize these protections are required to comply with various obligations according to these regulations. These obligations are expressed in various GDPR articles for the purpose of effective protection of personal data and data subject persons. It became clear by explaining these obligations from the point of view of European regulations relating to personal data that the Iranian Legal System did not stipulate such obligations and that only the generalities of these obligations can be inferred from various sources of Iranian law, such as the statute laws, the fundamentals of Iranian law, and Jaʿfarī Jurisprudence. It should be noted that these implied significations are insufficient to accurately explain the various obligations of data processors and the transparency of the details of this matter needs to be clarified by the legislator. This research in this regard has provided the proposed provisions regarding various obligations of data processors, including the controller’s liability towards the processing process, the controller’s commitment towards choosing the appropriate processor, keeping records of processing activities, cooperating with supervisory authorities, ensuring the security of processing, informing and servicing the breach of personal data to supervisory authorities and the data subject (relevant persons of data), and appointing data protection officers (DPOs).

Keywords

Main Subjects

References

  1. پیش‌نویس لایحۀ صیانت و حفاظت از داده‌های شخصی تیرماه سال 1397 ش.، منتشرشده در وبگاه وزارت ارتباطات و فناوری اطلاعات به نشانی: <https://www.ict.gov.ir/fa/newsagency/21691>.
  2. تسخیری، محمدعلی، القواعد الاصولیة و الفقهیة علی مذهب الامامیه، تهران، المجمع العالمی للتقریب بین المذاهب الاسلامیه، المعاونیة الثقافیه، 1431 ق.
  3. حسینی روحانی، سیدمحمدصادق، منهاج الفقاهه، چاپ پنجم، قم، انوار الهدی، 1429 ق.
  4. شهیدی تبریزی، میرزا فتاح، هدایة الطالب الی اسرار المکاسب، قم، دار الکتاب، بی‌تا.
  5. طباطبایی یزدی، سیدمحمدکاظم بن عبدالعظیم، حاشیة المکاسب، قم، اسماعیلیان، 1410 ق.
  6. طرح «حمایت و حفاظت از داده و اطلاعات شخصی» اعلام وصول شده در مجلس مورخ شهریورماه 1400 ش.، قابل دسترس در پایگاه ملی اطلاع‌رسانی قوانین و مقررات کشور به نشانی: <https://dotic.ir/news/10419>.
  7. فاضل موحدی لنکرانی، محمد، القواعد الفقهیه، قم، مرکز فقهی ائمۀ اطهارŒ، 1383 ش.
  8. قانون تجارت مصوب 1311 ش.
  9. قانون مدنی مصوب 1307 ش.
  10. قزوینی، ملاعلی بن محمد، صیغ العقود و الایقاعات، حاشیه و شرح محمدعلی بن احمد قراچه‌داغی تبریزی، قم، شکوری، بی‌تا.
  11. لطفی، اسداللّٰه، «قاعده استیمان در سقوط ضمان»، مجله دانشکده حقوق و علوم سیاسی، دانشگاه تهران، شماره 44، تابستان 1378 ش.
  12. محقق داماد، سیدمصطفی، قواعد فقه (بخش مدنی ـ مالکیت، مسئولیت)، تهران، مرکز نشر علوم اسلامی، 1384 ش.
  13. مکارم شیرازی، ناصر، القواعد الفقهیه، قم، مدرسة الامام علی بن ابی‌طالب‰، 1370 ش.
  14. موسوی بجنوردی، سیدمحمد بن حسن، قواعد فقهیه، تهران، مؤسسه تنظیم و نشر آثار امام خمینی، مؤسسه چاپ و نشر عروج، 1379 ش.
  15. موسوی خمینی، سیدروح‌اللّٰه، ترجمه تحریر الوسیله، ترجمه علی اسلامی و محمد قاضی‌زاده، قم، دفتر انتشارات اسلامی، 1383 ش.
  16. موسوی خویی، سیدابوالقاسم، موسوعة الامام الخوئی، قم، مؤسسة احیاء آثار الامام الخوئی، 1418 ق.
  17. موسوی گلپایگانی، سیدمحمدرضا، مجمع المسائل، قم، دار القرآن الکریم، بی‌تا.
  18. نراقی، احمد بن محمدمهدی، رسائل و مسائل؛ شامل هشتصد و پانزده سٶال و جواب و دوازده رساله فقهی و غیره، گردآوری رضا استادی، قم، کنگره بزرگداشت محققان ملامهدی و ملااحمد نراقی، 1380 ش.
  19. هاشمی شاهرودی، سیدمحمود، فرهنگ فقه مطابق مذهب اهل بیتŒ، قم، مؤسسه دائرةالمعارف فقه اسلامی بر مذهب اهل بیتŒ، 1382 ق.
  20. Bureau of National Affairs (BNA), “The Final European Union General Data Protection Regulation”, Privacy & Security Law Report, 15 PVLR 153, 2016.
  21. Colcelli, Valentina, “Joint Controller Agreement Under Gdpr”, EU and Comparative Law Issues and Challenges Series (ECLIC 3): “Eu and Member States – Legal and Economic Issues”, 2019.
  22. Eija, Saaranen, Applying General Data Protection Regulation in Small Organizations; Simplified Framework and Templates for Managing a Privacy, Bachelor’s Thesis, School of Business and Culture, 2018.
  23. EUR-Lex, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), Official Journal of the European Union, L 119, 2016, <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX: 32016R0679&from=EN>.
  24. European Commission, “Data protection in the EU”, 2016, <https://ec.europa.eu/ info/law/law-topic/data-protection/data-protection-eu_en>.
  25. , “Does my company/organisation need to have a Data Protection Officer (DPO)?”, 2018A, <https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/data-protection-officers/does-my-company-organisation-need-have-data-protection-officer-dpo_en>.
  26. , “The GDPR: new opportunities, new obligations”, 2018B, <https:// op.europa.eu/en/publication-detail/-/publication/44d8441b-5fc5-11e8-ab9c-01aa75ed71a1/ language-en>.
  27. , “What does data protection ‘by design’ and ‘by default’ mean?”, 2018C, <https:// ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/ obligations/what-does-data-protection-design-and-default-mean_en>.
  28. , “What is a data controller or a data processor?”, 2018D, <https://ec.europa.eu/info/law/ law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en>.
  29. , “What is personal data?”, European Commission Policies, Information and Services, 2019, <https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en>.
  30. Ferrara, Pietro & Fausto Spoto, “Static Analysis for GDPR Compliance”, CEUR Workshop Proceedings, Vol. 2058, 2018.
  31. Hintze, Mike, “Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR”, Journal of Internet Law (Wolters Kluwer), 2018, <https://ssrn.com/ abstract=3192721>.
  32. Information Commissioner’s Office (ICO), “Controllers and processors”, 2018A, <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection-regulation-gdpr/key-definitions/controllers-and-processors>.
  33. Information Commissioner’s Office (ICO), “Data protection officers”, 2018B, <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection-regulation-gdpr/accountability-and-governance/data-protection-officers>.
  34. Information Commissioner’s Office (ICO), “What responsibilities and liabilities do controllers have when using a processor?”, 2018C, <https://ico.org.uk/for-organisations/ guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts- and-liabilities-between-controllers-and-processors-multi/responsibilities-and-liabilities- for-controllers-using-a-processor>.
  35. Jones, E., “Data protection”, Journal of Direct, Data and Digital Marketing Practice, 2009, <https://edps.europa.eu/data-protection/data-protection_en>.
  36. Kubben, Pieter, Michel Dumontier & Andre Dekker (Eds.), Fundamentals of Clinical Data Science, Springer International Publishing, 2019.
  37. Reini, Pasi, GDPR implementation, Case: Headpower Oy, Master’s thesis, University of Transport and Communications, March 2019, <https://www.theseus.fi/bitstream/ handle/10024/166514/Reini_k7696_thesis_versio4.1.pdf?sequence=2>.
  38. Singh, Atul, “Protecting Personal Data as a Property Right”, ILI (The Indian Law Institute) Law Review, Winter Issue, 2016.
  39. Voigt, Paul & Axel von dem Bussche, The EU General Data Protection Regulation (GDPR), Springer International Publishing, 2017, <https://doi.org/10.1007/978-3-319-57959-7>.

Files

Share

How to cite

Statistics