I was umming and ah’ing about asking this question because I thought I should know it! But I hold my hands up and admit. I am struggling!! Under Article 28 we would need to have a Data Processing Agreement if we engaged with a TP who’d be processing PID on our behalf. Simple enough. However, it turns out the TP is not a “Processor” but will be providing substantive staff to (no. of clinicians) to conduct 3 services. The PID won’t leave our Trust. They will be bound by our confidentiality polices and procedures etc. Will a contract of employment suffice?
BlueBottle
What’s PID? Some kind of hybrid of personally-identifiable information and personal data?
As with many things in privacy, this question crosses over into other areas of law, in this case taxation and employment. What country are you based in?
It largely depends on whether the company “providing” the staff is providing a service to your organisation, in which these clinicians are simply employees of the service provider; or an agency providing temporary workers to your organisation, for you to direct and control. I will assume the latter.
The World Employment Confederation provided feedback on the agency worker triangular relationship here: https://edpb.europa.eu/sites/default/files/webform/public_consultation_reply/wec_input_consultation_edpb_controller_processor_final.pdf
EDPB Guidelines 07/2020 adopted this year incorporate a reference to agency workers: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf
BlueBottle
So if the clinician is an agency worker, and they will be processing personal data “under the direct authority of” your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor.
There may need to be controller-to-controller contractual safeguards if the agency transfers the personal data of the clinicians to your organisation, which you then incorporate into your HR systems and process according to your own determination of purposes and means.
For the clinician, if an agency worker, their contract of employment will be with the agency, not your organisation. Therefore a separate confidentiality agreement incorporating the same terms you would apply to your employees might be needed.
BlueBottle
[These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.]
Excerpting from pp 28-29:
86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than
the data subject,
the controller,
the processor and
persons who, under the direct authority of the controller or processor, are authorised to process
personal data.
…
BlueBottle
…
88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as referring to persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff provided via a temporary employment agency) but only insofar as they are authorized to process personal data. An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category. Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer. Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing.