Privacy & Information Security Law Blog

On September 7, 2020, the European Data Protection Board (“EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines aim to (1) clarify the concepts of controller, joint controllers, processor, third party and recipient under the GDPR by providing concrete examples with respect to each; and (2) specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.

Background
The concepts of controller and processor play a crucial role in the application of the GDPR since they determine who is responsible for compliance with the GDPR obligations and how individuals (“data subjects”) can exercise their data protection rights in practice. The concepts of controller and processor have not changed compared to the previous EU data protection framework (Directive 95/46/EC). However, the GDPR has introduced new obligations on those actors. In addition, the Court of Justice of the European Union (“CJEU”) in recent rulings has clarified the concept of joint controllership and its implications. These new obligations paired with the CJEU rulings gave rise to many questions regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles. The Guidelines seek to address these questions and ensure a consistent and harmonized approach in the application of the concepts throughout the European Economic Area.

The Guidelines consist of two parts: the first part explains the different concepts, while the second part provides detailed guidance on the main consequences of the concepts for controllers, processors and joint controllers. The Guidelines also include a flow chart to provide further practical guidance.

Below is a summary of the key takeaways from the Guidelines.

Controller

• The concept of controller should be interpreted in a sufficiently broad way so as to ensure full effect of EU data protection law.
• It is not necessary that controllers have access to the personal data.
• Controllers must determine both the purposes and means of the processing of personal data (i.e., the “why” and “how” the data is processed).  Accordingly, if an organization only determines the purpose of the processing, this will not be sufficient to qualify the organization as a controller. To be considered a controller, the organization also will have to determine “essential” means of the data processing (e.g., the type of personal data processed, the duration of the data processing, the categories of data recipients and the categories of data subjects). Conversely, decisions on “non-essential” means of the data processing can be left to the processor (e.g., the type of IT systems or other technical means to use for the data processing or the details of the security measures to be implemented based on the general security objectives set by the controller).

Joint Controllers

• The qualification as joint controllers implies the joint participation of two or more entities in the determination of the purposes and means of a data processing activity (i.e., two or more entities must jointly determine both the purposes and “essential” means of the data processing).
• Joint participation can take the form of a common decision by two or more entities on the purposes and means of the data processing or simply result from converging decisions on those purposes and means. An important criterion to identify converging decisions in this context is whether the data processing would not be possible without both parties’ participation (i.e., the processing by each party is inextricably linked).
• In practice, joint controllership may arise where the parties pursue purposes that are closely linked or complementary (e.g., where there is a mutual benefit arising from a data processing operation, provided that each party also participates in the determination of the means of the data processing).
• The parties may jointly determine the means of the data processing when they use a platform or standardized tool that has been set up in a certain way by one of the parties and made available to the others, who also can decide on how to set it up.

Processor

• Processors may have a certain discretion about how to serve the controller’s interests (e.g., by choosing the appropriate technical and organizational means of the data processing). However, processors can never determine the purpose of the data processing. A processor will infringe the GDPR if it goes beyond the controller’s instructions and starts determining its own purposes and means of processing.
• Nothing prevents processors from offering a preliminary defined service but the controller must make the final decision to actively approve the way the data processing is carried out and must be able to request changes, if necessary. Processors cannot at a later stage change the essential elements of the processing without the approval of the controller.

Controller/Processor Relationship

• Controllers must only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures. When assessing a processor’s guarantees, controllers should take into account the processor’s expert knowledge, reliability and resources. This assessment should be carried out at appropriate intervals, and not only at the onboarding stage.
• The data processing agreement that the controller and processor must execute in accordance with Article 28 of the GDPR must not simply restate the provisions of the GDPR. Rather, the data processing agreement should include more specific and concrete information as to how the GDPR requirements will be met in practice. In particular, the contract should specify the data security measures adopted by the processor, impose an obligation on the processor to obtain the controller’s approval before making any changes to the list of security measures and a regular review of those measures to allow the controller to assess their appropriateness.
• Similarly, the data processing agreement should contain details as to how the processor will help the controller meet its obligations under Articles 32-36 of the GDPR (i.e., obligations related to the security of the personal data, data breach notifications and data protection impact assessments).
• Further, when the controller provides a general authorization to the processor to engage sub-processors, such authorization should be supplemented with criteria to guide the processor’s choice (e.g., guarantees in terms of technical and organizational measures, expert knowledge, reliability and resources)

Relationship Among Joint Controllers

• Joint controllers must determine and agree on their respective responsibilities for complying with the GDPR. Although the GDPR is not prescriptive about the form of such an arrangement, the Guidelines recommend that it take the form of a binding document, such as a contract.
• In terms of content, this arrangement should cover not only the parties’ obligations to provide notice and comply with data subject rights requests but also their other obligations as controllers under the GDPR, such as (1) the implementation of the GDPR fundamental data protection principles; (2) the obligation to have a proper legal basis for the data processing; (3) the implementation of data security measures; (4) the obligation to notify personal data breaches to the competent supervisory authority and affected data subjects; (5) the obligation to conduct data protection impact assessments where applicable; (6) the use of a processor; (7) the obligation to ensure compliance with the cross-border data transfer restrictions; and (8) the organization of contact with data subjects and supervisory authorities.
• The allocation of responsibilities between the joint controllers should take into account factors, such as which party is in the best position to comply with those obligations. These factors and the parties’ internal assessment for the allocation of their responsibilities should be documented for accountability purposes.
• The GDPR obligations do not need to be equally distributed among joint controllers. In some cases, all joint controllers may need to comply with the same GDPR obligations. For example, each joint controller must ensure that they have a legal basis for the processing and that the data is not further processed in manner that is incompatible with the purposes for which the data was originally collected by the controller sharing the data.
• The GDPR further requires that the “essence” of the arrangement between the joint controllers be made available to data subjects. That essence should cover at least all the elements of information required by Articles 13 and 14 of the GDPR (i.e., the parties should specify which joint controller is responsible for each of these elements). It is then up to the joint controllers to decide the most effective way to make this information available to data subjects (e.g., in their privacy policy or upon request from data subjects to the data protection officer, if any, or to the contact point the parties have designated).

The Guidelines are open to public consultation until October 19, 2020. EU supervisory authorities encourage any interested parties to contribute to the consultation by providing comments on the Guidelines.