On 7 September 2020, the European Data Protection Board (EDPB) issued draft guidelines on the concepts of controller and processor. The concepts play a crucial role in the application of the GDPR, as they determine who will be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The concepts have not changed compared to the Data Protection Directive 95/46/EC (now repealed) and the general criteria for how to attribute the different roles remain the same. However, the EDPB acknowledges the necessity of providing clarification on these concepts under the GDPR.  Since the entry into force of the GDPR, many questions have arisen in relation to the implications of the concept of joint controllership (under Article 26 GDPR), and the specific obligations for processors (under Article 28 GDPR). The guidelines replace the previous Opinion of the Article 29 Working Party on the concepts of controller and processor (Opinion 1/2010).

In part I, the guidelines discuss the definitions of the concepts of controller, joint controllers, processor, and third party/recipient. Part II considers the consequences that are attached to the different roles. The guidelines also contain helpful examples of the circumstances when an entity is a controller, joint controller or processor.

Key takeaways

Part 1 – Concepts

General Observations

  • The legal status of an entity as either a ‘controller’ or a ‘processor” will be determined by its actual activities in a specific situation, rather than upon its contractual designation.
  • The same entity may act at the same time as controller for certain processing operations and as processor for others. The qualification as controller or processor has to be assessed with regard to each specific data processing activity.
  • Where a company and public body appoints a specific person to ensure compliance with data protection rules, this person will not be the controller, but will act on behalf of the legal entity (company or public body) which will ultimately be responsible in case of infringement of the rules in its capacity as controller.

Controller

  • A controller determines the purposes and means of the processing (i.e. the why and how of the processing). It is not necessary that the controller actually has access to the data that is being processed to qualify as a controller.
  • The EDPB recognise that some margin of manoeuvre may exist for the processor to make some decisions in relation to the processing, and consider the extent to which a processor may make decisions of its own. Decisions on the purpose of the processing are always for the controller to make. In regard to the means of processing, the EDPB distinguish between essential and non-essential means. ‘Essential means’ are reserved to the controller (e.g. which data shall be processed and for how long). However, ‘non-essential means’, such as the choice of a particular hardware or software or the detailed security measures, may be left to the processor to decide on.

Joint Controller

  • Joint controllers may arise where more than one entity is involved in the processing. An important criterion is that the processing would not be possible without both parties’ participation.
  • Joint participation in the determination of purposes and means implies that more than one entity has a decisive influence over whether and how the processing takes place.
  • The concept of joint controllers is not new and already existed under the Data Protection Directive 95/4/EC. However, Article 26 GDPR introduces specific rules for joint controllers. In addition, the Court of Justice of the European Union (CJEU) has, in recent judgments, clarified the concept and its implications.
  • The fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership (Jehovah’s Witnesses case (C-25/17)).
  • An entity will be considered a joint controller only in respect of those operations for which it determines (jointly with others) the means and purposes of the processing. If one of the entities decides alone the purposes and means of preceding or subsequent operations, that entity must be considered as the sole controller of those operations (Fashion ID (C-40/17)).

Processor

  • The basic two conditions for qualifying as a processor are: (i) being a separate entity in relation to the controller (i.e. an external organisation) and (ii) processing personal data on the controller’s behalf, but otherwise than under its direct authority or control.
  • Within a group of companies, one company can be a processor to another company acting as controller, as both companies are separate entities.
  • Employees and other persons that are acting under the direct authority of the controller are not processors, as they process personal data as a part of the controller’s entity. In accordance with Article 29 GDPR, they are also bound by the controller’s instructions.

Third Party/Recipient

  • The GDPR defines the concepts of third parties and recipients, but does not lay down specific obligations in relation to them. Entities that are third parties or recipients of personal data from one perspective, may simultaneously be regarded as controllers or processors from other perspectives.

Part 2 – Consequences of attributing different roles

Relationship between controller and processor

  • Both the controller and processor are responsible for ensuring that there is a contract to govern the processing.
  • The data processing agreement should not merely restate the provisions of the GDPR, rather it should include more specific, concrete information as to how the requirements will be met in practice and specify the level of security that is required.
  • The obligation to use only processors “providing sufficient guarantees” contained in Article 28(1) GDPR is a continuous obligation. The controller should, at appropriate intervals, verify the processor’s guarantees, including through audits and inspections where appropriate.
  • The processor must assist the controller in ensuring compliance with its obligations under Articles 32-36 of the GDPR. The  processing agreement must avoid merely restating these duties of assistance, and should contain details as to how the processor is required to assist the controller meet its obligations. For example, in regard to the obligation to assist the controller to meet its data breach notification obligations, the contract should specify how the processor shall notify the controller in case of a breach; provide a specific time frame of notification (e.g. number of hours), and include the point of contact for such notifications.
  • The agreement must specify that the processor may not engage another processor without the controller’s prior written authorisation and whether this authorisation will be specific or general. Where specific authorisation is required, the contract should set out the process for obtaining such authorisation.

Relationship between joint controllers

  • The legal form of the arrangement among joint controllers is not specified by the GDPR. For transparency and accountability purposes, the EDPB recommends that such arrangements be made in the form of a binding document such as a contract.
  • In regard to the terms of the arrangement, it should not only cover the allocation of responsibilities referred to in Article 26(1), but also responsibility for, without limitation: (1) implementation of the data protection principles (Article 5 GDPR); (2) legal basis for processing (Article 6 GDPR); (3) security measures (Article 32 GDPR); (4) notification of personal data breaches to the competent supervisory authority and data subjects (Articles 33 and 34 GDPR); (5) data protection impact assessments (Articles 35 and 36 GDPR): (6) use of a processor (Article 28); (7) transfers of personal data to third countries (Chapter V GDPR); and (8) contact with data subjects and supervisory authorities.
  • The EDPB notes that irrespective of the terms of the arrangement, data subjects may exercise their rights in respect of and against each of the joint controllers (Article 26(3) GDPR). Supervisory authorities are not bound by the terms of the arrangement whether on the issue of the qualification of the parties as joint controllers or the designated contact point.
  • The obligations do not need to be equally distributed among joint controllers. The existence of joint responsibility does not necessarily imply equal responsibility (CJEU, C-210/16).
  • There may be cases where not all of the obligations can be allocated, and joint controllers need to comply with the same requirements (e.g. each joint controller is required to maintain a record of processing activities and designate a Data Protection Officer (DPO) (where applicable)).
  • The essence of the arrangement must be made available to data subjects. The GDPR does not specify the manner in which such information should be made available to data subjects. The EDPB suggests that the joint controllers could make it available in their privacy policy or upon request to the DPO or other contact point.

The guidelines are open to public consultation until 19 October 2020 for stakeholders to submit their views.