The guidelines on the concepts of the data controller, processor, and joint controllership from EDPS can be used as a useful tool by organizations to assess the proper qualification.
The European Data Protection Supervisor (“EDPS”) issued a set of guidelines to assist EU institutions and bodies in complying with the provisions of the Regulation (EU) 2018/1725. Although they are addressed to EU institutions and organizations, the Guidelines will be useful for all businesses that need to determine whether they act as controller, processor, or joint controller under the EU General Data Protection Regulation.
Below is an outline of the main points addressed by the guidelines
The data controller does not need to have full control over the processing operations
The role of the data controller in determining the purposes and means of the processing of personal data refers to a “factual influence that the controller has over the processing operation, by virtue of an exercise of decision-making“.
When carrying out a processing operation, the controller is the one deciding on the purpose (‘why’) and on the means to carry out such processing operation (‘how’). But a party does not need to determine both equally,
- a controller is an entity that de facto decides on the purpose (‘why’) of a processing operation; but
- it is sufficient that it determines the essential elements of the means of processing (e.g., the types of processed data, the retention period, who has access to data, etc.).
The above elements are so relevant that, according to the EDPS, an entity does not need to have access to personal data to be considered a controller. If the two conditions above are met, it is sufficient that it receives anonymous statistics based on personal data collected and processed by another entity. Such an aspect is important since it emphasizes that an entity instructing a third party to perform a data processing activity would still be considered a data controller even if it is not involved in the processing operations. Therefore, this outsourcing activity cannot be considered as a protection against challenges.
Independency of the data processor can be preserved
In line with the approach taken on the definition of the data controller, the EDPS deems that
the fact that the processor acts ‘on behalf of the controller’ does not necessarily undermine its independence in carrying out specific tasks assigned to it. The processor may enjoy a considerable degree of autonomy in providing its services and may identify the non-essential elements of the processing operation.
To have an entity acting as a data processor, the data controller does not necessarily have to ‘impose’ the entire modalities according to which a particular processing operation should be carried out.
However, the crucial point is that
when a processor acts beyond the mandate by infringing the contract or another legal act or making decisions about the purpose and the essential elements of the means of a specific processing operation, it may qualify as a controller (or a joint controller).
In my view, the scenario above might occur, for instance, in the case of a data breach caused by the misconduct of a data processor. Despite the instructions and checks performed by the data controller, the data processor breaches the instructions through negligent or wilful misconduct, causing a data breach.
This aspect is a crucial point in a potential dispute before data protection authorities, also considering the high sanctions provided by the GDPR. Indeed, when a processor acted beyond the instructions received from the data controller, it can be directly liable for breach of the GDPR and the caused damages.
The tricky distinction between a joint data controller and separate autonomous data controllers under the guidelines
Joint controllers require a joint determination of “the purposes and means of processing” which occurs where
each controller has a chance/right to determine purposes and essential elements of the means of a processing operation.
The EDPS recognizes that in some cases, it is difficult to distinguish between joint controllers and two separate data controllers, also because they even admit that a joint controllership does not even require both parties to have access to personal data.
This topic is extremely uncertain in the GDPR, and it sometimes happens that parties decide to opt for a joint controllership relationship just to ease the flow of data between them when only one of them de facto determines the modalities of processing.
Also, it is vital to determine the roles and responsibilities of the parties as part of a joint controllership agreement to avoid that the parties are liable for any conduct taken by either of them.
My recommendations on choosing between data controller, processor and joint controllership
In my experience, the actual privacy role of the parties is often “negotiated” between them, based on the requests in terms of control on the processing operations or liability protection that it wants to ensure.
I even often heard about the concept of “appointment” of a data controller, which does not make any sense since the role of a data controller is based on a de facto situation. Also, the data controller is the company as a whole rather than an individual, even if he/she is the managing director.
The determination of the appropriate privacy role requires an in-depth review of the factual circumstances, assessing, among others the following aspects:
- If a product is supplied with no possibility at all to adapt it to the requirements or instructions of the client, is the supplier still a data processor, or it becomes a data controller?
- If there is a company that is the shareholder (or even the holding company) of another, will it ever “jointly determine” the modalities of processing with its controlled entity?
- What level of joint determination is necessary to trigger a joint controllership?
These are open questions on which we will discuss during the coming years. On the same topic, you may find interesting the article “Facebook LIKE button creates joint data controllers and uncertainties“.