On September 2, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on the concepts of “controller” and processor” under the GDPR. The Article 29 Working Party had already issued a guidance on this topic in 2010. Although the GDPR did not change the definitions of “controller” and “processor”, the EDPB’s guidelines aim to bring further clarity to these critical concepts and discuss the relationship between them.
The EDPB’s guidelines are divided in two parts.
The first part of the guidelines revisits the concepts “controller”, “joint controller”, “processor” and “third party”/ “recipient” already considered by the 2010 guidance. Below we describe some aspects of the EDPB guidelines that serve to amend, modify or embellish the earlier 2010 guidance:
- As before, a controller is regarded as a party that determines the purposes and the means of processing. However, the EDPB notes that at times, the processor may have some influence on the “means” of processing. The guidelines discuss in more detail what “means” a processor can determine without becoming a controller. The guidelines introduce the concepts of “essential means” and “non-essential means” and provides examples of each. According to the guidance, “non-essential means” concern “more practical aspects of implementation, such as the choice for a particular type of hard- or software or the detailed security measures”. While processors would be able to take decisions about “non-essential means”, the decisions about “essential means” should be taken by the controller.
- A person may be the controller for the entire processing activity or only for a particular stage of the processing (in this respect the guidance refers to the CJEU’s judgment in Fashion ID).
- A controller does not need to have access to the data in order to be qualified as such. It suffices that it has control over how the data is processed. Again, this is consistent with EU-level case law.
- The main criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing activity through a “common decision” or “converging decisions” (both terms are defined in the guidelines). A “common decision” is when both controllers take decisions about the processing together. A “converging decision” is when both controllers take decisions about different aspects of the processing which complement each other and the processing would not be possible without the decisions of both controllers.
- The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.
- The processor must be a separate legal entity in relation to the controller. A processor can be another group company, but a department within a company cannot be a processor for another department within that same company.
The second half of the guidelines analyses the relationships between the controller and the processor and between joint controllers. It starts by discussing the risk assessment that controllers need to conduct on processors and the data processing agreement that needs to be put in place. The guidelines clarify, in particular, that:
- The processor should notify any changes it intends to make to its data processing agreement directly to the controller and obtain the latter’s approval. It is not sufficient to simply publish the changes on the processor’s website, and attempt to unilaterally change the agreement.
- The data processing agreement between the controller and the processor should include a description of the security measures implemented by the processor. The agreement should also include an obligation on the processor to obtain the controller’s approval before making changes to the security measures and a regular review of the security measures by the processor.
- The agreement should indicate the process by which the controller may approve or reject sub-processors.
- Details concerning the nature of the assistance provided by the processor with regards to data subjects rights requests should be set forth in the agreement or in an annex thereto.
- Where the controller decides to accept certain sub-processors at the time the agreement is executed, a list of the approved sub-processors should be included in the agreement or an annex thereto.
- Where the controller provides a general authorization for the use of sub-processors, the contract or an annex thereto should include criteria to guide the processor’s selection of such sub-processors.
This section of the guidelines also discusses in detail the relationship between joint controllers. Interestingly, it establishes compliance measures and related obligations that joint controllers should include in their “arrangement” that go beyond those listed in Article 26(1) GDPR. The guidelines also suggest that joint controllers should document the relevant factors that led to the allocation of responsibilities between them. The arrangement should be in writing and should allow a joint controller to seek recovery against other joint controllers for losses caused by their breach.
The EDPB’s guidelines provide useful guidance on the application of these fundamental concepts in practice, which is not always straightforward. We will keep monitoring for additional guidance issued by the EDPB on these and other topics.