The EDPB guidelines on the concepts of data controller and processor are a valuable aid to the interpretation of fundamental aspects for the application of the GDPR.
On 7 September 2020, the European Data Protection Board (“EDPB”) launched a consultation on the draft “Guidelines on the concepts of controller and processor in the GDPR“, which replace the previous Guidelines 1/2010 of the Article 29 Working Group.
The purpose of the EDPB Guidelines is to provide more detailed and precise indications on the meaning of the concepts of controller and processor in the light of the definitions contained in the EU Regulation 2016/679 (“GDPR“) and to highlight the peculiarities of the different roles as well as the distribution of responsibilities among the actors involved in the processing of personal data.
The concepts of data controller and data processor play a crucial role in the application of the GDPR, as they identify the entities who are personally required to comply with the rules on the protection of personal data, as well as those against whom data subjects may exercise their rights. The entry into force of the GDPR led to numerous questions in this regard. Suffice it to think of the introduction of the accountability principle, the new provisions on the processing of personal data addressed – not only to data controllers – but also to data processors, as well as to the most uncertain figures of the joint controllers and third parties/receivers. All the above has therefore led to the emergence of new doubts and critical interpretative issues, which therefore undermine the objective of ensuring a consistent and harmonized approach in all European Union countries about the processing of personal data.
In light of the need to ensure a precise, clear, and shared meaning of these concepts as well as the criteria for their correct use, the EDPB has therefore deemed it necessary to provide further clarification and guidance on the subject.
The most relevant aspects that emerge from the guidelines can be summarized as follows:
1. The concept of data controller
The data controller determines the purposes and modalities of the processing of personal data, i.e., the why and how of processing. However, some more practical aspects of implementation may be left to the controller. Moreover, it is not necessary for the data controller to have access to the data being processed to be qualified as a data controller.
The concepts of data controller and data processor are functional: they aim to allocate responsibilities according to the actual roles of the parties. This implies that the legal status of an entity as a “data controller” or “data processor” must be determined, in principle, by its actual activities in a specific situation, rather than by formal designation as a “data controller” or “data processor”, for example through a contract. It is neither possible to become a data controller nor to reduce the obligations of the data controller by merely shaping the contract in a certain way when the circumstances provide for something else.
2. The concept of joint controller
The general criterion for the existence of a joint controllership is the joint participation of two or more parties in determining the purposes and methods of processing personal data. The joint participation may take the form of a joint decision taken by two or more parties or result from their converging decisions when the decisions complement each other and are necessary for the processing to take place in such a way as to have a tangible impact on the determination of the purposes and methods of processing.
An important criterion is that processing would not be possible without the participation of both parties, in the sense that processing by each of them is inseparable, i.e., inextricably linked.
3. The concept of data processor
The data processor must not process the data except in accordance with the instructions of the data controller. The instructions of the data controller may, however, leave a certain margin of discretion on how best to serve the interests of the data controller, allowing the data processor to choose the most suitable technical and organizational means.
A data processor violates the GDPR, however, if it goes beyond the data controller’s instructions and begins to determine its own purposes and methods of processing. The data processor will then be considered a data controller in this scenario and may be subject to penalties for exceeding the data controller’s instructions.
My feedback on the EDPB guidelines on the concepts of data controller and processor
The EDPB guidelines on the concepts of data controller and data processor hide some complexities that will be difficult to apply in practice.
In particular, the distinction between joint controllership and autonomous data controllers when the processing operations of personal data by two entities are “inextricably linked” is ambiguous. The EDPB had not much flexibility because of the precedents on the matter by the CJEU that I don’t share. But a more precise position is definitely necessary to avoid that privacy regulators oversee what the actual practice in the market is.
Likewise, the distinction between a standardized service provided as a data processor or a data controller seems to depend on the level of flexibility left to customers. But drawing the exact line between the two scenarios is almost impossible, while parties might have appreciated a more straight-forward position to avoid endless negotiations.
The guidelines are subject to public consultation until 19 October 2020, and I believe that substantial work is necessary to actually make them a step forward on concepts that would otherwise remain nebulous.
On a similar topic, you may find interesting the article “Privacy guidelines on data controller, processor and joint controllership from the EDPS“.
Image Credit Steve Koukoulas