On 2 September 2020, the European Data Protection Board (‘EDPB’) published new guidelines on the concepts of controller and processor in the General Data Protection Regulation (‘GDPR’). These guidelines are open for public consultation until 19 October 2020. The new guidelines will replace the previous guidelines on the same concepts, which were issued by the Article 29 Working Party in 2010.
The first part of the new guidelines analyses the concepts of controller and processor, providing relevant examples. The second part analyses the consequences of, and relationship between, the different roles.
Controllers
While already established that a controller is the party who decides the purpose and the means of the processing (i.e. the why and how of the processing), the EDPB clarified that:
- A controller is a body that decides certain key elements of the processing;
- Although the controller must decide on both the purposes and means, some more practical aspects of implementation (referred to as the “non-essential means”) may be left to the processor such as the IT systems used or the specific security measures;
- A person can be the controller for a particular stage of processing or only for a part of it[1];
- It is not necessary for the controller to have access to the data that is being processed to be regarded a controller[2]; and
- The terms of a contract can help to identify the controller but they are not decisive in all circumstances.
The EDPB also discussed the relationship between controllers and processors and its practical implications. The EDPB reminded controllers of their obligations to engage only processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR.
Further, the EDPB offered in depth guidance as to what the data processing agreement should include and the level of detail to be included. It should not restate the relevant provisions of the GDPR. Instead, it should include specific and concrete information as to how the relevant requirements between controllers and processors should be met, particularly relating to the level of security to be deployed.
In particular, the data processing agreement should state how sub-processors are authorized, how the processor will help the controller meet its obligations under the GDPR, and the security measures implemented by the processor.
Joint controllers
The EDPB provided some practical guidance regarding the overarching criteria for determining joint controllers. The EDPB clarified that joint control can be exercised either through a “common decision” or through “converging decisions” (i.e. when the processing would not be possible without the decisions of both controllers).
While neither Directive 95/46/EC nor the GDPR prescribe in what form the relationship between joint controllers should be documented, the EDPB recommends that joint controllers enter into a contract or a similar binding document. The guidelines suggest that this binding document records each controller’s obligations towards data subjects, under the GDPR and towards each other.
The parties are free to allocate responsibilities between themselves as they deem fit depending on which one is in the best position to comply with such responsibilities. Joint controllers must make available the “essence” of their arrangement to data subjects, including providing clarity as to which data controller is the point of contact for the exercise of data subject rights.
Processors
The EDPB explained that there are two basic conditions for qualifying as a processor:
- It must be a separate entity to the controller; and
- It must process personal data on behalf of the controller, and therefore according to the controller’s instructions.
The processor is granted a certain degree of discretion in terms of how best to serve the controller’s interests, such as by being able to choose the most suitable technical and organisational means.
A processor will be considered a controller where it goes beyond the controller’s instructions and determines its own purposes and means of processing.
Comment
The EDPB’s new guidelines provide deeper colour around these ever-developing concepts. They serve as a reminder that the data protection regime under the GDPR as whole is still maturing.
___________________
[1] Fashion ID, C‑40/17, ECLI:EU:C:2019:629, paragraph 74
[2] Wirtschaftsakademie, C-201/16, ECLI :EU :C :2018 :388, paragraph 38