On September 2, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on the concepts of “controller” and processor” under the GDPR. The Article 29 Working Party had already issued a guidance on this topic in 2010. Although the GDPR did not change the definitions of “controller” and “processor”, the EDPB’s guidelines aim to bring further clarity to these critical concepts and discuss the relationship between them.

The EDPB’s guidelines are divided in two parts.

The first part of the guidelines revisits the concepts “controller”, “joint controller”, “processor” and “third party”/ “recipient” already considered by the 2010 guidance. Below we describe some aspects of the EDPB guidelines that serve to amend, modify or embellish the earlier 2010 guidance:

  • As before, a controller is regarded as a party that determines the purposes and the means of processing. However, the EDPB notes that at times, the processor may have some influence on the “means” of processing. The guidelines discuss in more detail what “means” a processor can determine without becoming a controller. The guidelines introduce the concepts of “essential means” and “non-essential means” and provides examples of each. According to the guidance, “non-essential means” concern “more practical aspects of implementation, such as the choice for a particular type of hard- or software or the detailed security measures”. While processors would be able to take decisions about “non-essential means”, the decisions about “essential means” should be taken by the controller.
  • A person may be the controller for the entire processing activity or only for a particular stage of the processing (in this respect the guidance refers to the CJEU’s judgment in Fashion ID).
  • A controller does not need to have access to the data in order to be qualified as such. It suffices that it has control over how the data is processed. Again, this is consistent with EU-level case law.
  • The main criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing activity through a “common decision” or “converging decisions” (both terms are defined in the guidelines). A “common decision” is when both controllers take decisions about the processing together.  A “converging decision” is when both controllers take decisions about different aspects of the processing which complement each other and the processing would not be possible without the decisions of both controllers.
  • The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.
  • The processor must be a separate legal entity in relation to the controller. A processor can be another group company, but a department within a company cannot be a processor for another department within that same company.

The second half of the guidelines analyses the relationships between the controller and the processor and between joint controllers. It starts by discussing the risk assessment that controllers need to conduct on processors and the data processing agreement that needs to be put in place. The guidelines clarify, in particular, that:

  • The processor should notify any changes it intends to make to its data processing agreement directly to the controller and obtain the latter’s approval. It is not sufficient to simply publish the changes on the processor’s website, and attempt to unilaterally change the agreement.
  • The data processing agreement between the controller and the processor should include a description of the security measures implemented by the processor. The agreement should also include an obligation on the processor to obtain the controller’s approval before making changes to the security measures and a regular review of the security measures by the processor.
  • The agreement should indicate the process by which the controller may approve or reject sub-processors.
  • Details concerning the nature of the assistance provided by the processor with regards to data subjects rights requests should be set forth in the agreement or in an annex thereto.
  • Where the controller decides to accept certain sub-processors at the time the agreement is executed, a list of the approved sub-processors should be included in the agreement or an annex thereto.
  • Where the controller provides a general authorization for the use of sub-processors, the contract or an annex thereto should include criteria to guide the processor’s selection of such sub-processors.

This section of the guidelines also discusses in detail the relationship between joint controllers. Interestingly, it establishes compliance measures and related obligations that joint controllers should include in their “arrangement” that go beyond those listed in Article 26(1) GDPR. The guidelines also suggest that joint controllers should document the relevant factors that led to the allocation of responsibilities between them. The arrangement should be in writing and should allow a joint controller to seek recovery against other joint controllers for losses caused by their breach.

The EDPB’s guidelines provide useful guidance on the application of these fundamental concepts in practice, which is not always straightforward. We will keep monitoring for additional guidance issued by the EDPB on these and other topics.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.