The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I of this blog, we outline some of the key highlights of the Guidelines in respect of the controller and processor concepts and the implications of the controller to processor relationship. Part II will address the key highlights of the Guidelines in respect of joint controllers.
The concepts and the general criteria for how different roles are attributed has not changed compared to the Data Protection Directive 95/46/EC (now repealed). However, following the entry into force of the GDPR and recent rulings of the Court of Justice of the European Union (CJEU), a number of questions have been raised regarding these concepts (particularly the implications of the concept of joint controllership) and the EDPB has acknowledged the need for clarity in this respect. Part I of the Guidelines clarifies the concepts of controller, joint controller, processor and third party/recipient. Part II sets out the consequences attached to the roles. The Guidelines also provide practical examples of the circumstances in which each role may be attributed to an entity, as well as a flow chart to provide further practical assistance. The Guidelines replace the previous Opinion of the Article 29 Working Party on the concepts of controller and processor (Opinion 1/2010).
- The EDPB is clear that an assessment of which role an organisation fulfils should be based on a factual rather than formal analysis. Control can stem from law (e.g. where national law designates local authorities with the power to administer social welfare payments) but will more commonly be based on the organisation’s actual activities and functions in a specific situation. The Guidelines are clear that a case-by-case analysis is required and the assessment should be driven by the factual realities of the processing activities, and the terms of a contract are not decisive in all circumstances. From an accountability perspective, organisations should document the reasoning behind their determination that they fulfil a particular role.
- The EDPB emphasises that the concept of controller should be interpreted in a sufficiently broad way which favours protection of data subjects as much as possible.
- The EDPB notes that the same entity may act as controller for certain processing operations and as processor for others – accordingly, the qualification as controller or processor must be assessed in the context of each specific processing activity.
- A controller determines both the purposes and means of the processing of personal data (i.e. the “why” and the “how” of the processing). If an entity only determines one of these aspects, this will not be sufficient to qualify it as a controller.
- The EDPB recognises that a degree of discretion can be given for the processor to “make some decisions in relation to the processing“. However, the controller must determine the “essential” means of the processing, which is closely aligned with the purpose of processing – the controller must decide the type of personal data to be processed, whose data will be processed, the duration of the processing and the recipients of the processing. Only decisions on “non-essential” means of the processing can be left to the processor, i.e. more practical aspects of the processing such as the hardware, software and security measures to be used.
- The controller does not need to have actual access to the data that is being processed to qualify as a controller.
- The EDPB notes the two key conditions for qualifying as a processor are: (i) the organisation is a separate entity in relation to the controller (i.e. an external organisation) and (ii) it processes personal data on the controller’s behalf. For example, within a group of companies, one company can be a processor to another company acting as controller, as both companies are separate entities. However, employees (acting under the direct authority of the controller) are not processors as they process personal data as part of the controller’s entity.
- As set out above, processors may have a degree of discretion to determine certain “non-essential” means of the processing. However, processors must serve the controller’s interests. If a processor uses the data for its own purposes it will be a controller and may be subject to sanctions under the GDPR for going beyond the controller’s instructions.
- The EDPB notes that just because a counterparty provides services to the controller does not mean that a service provider is automatically a processor and, as mentioned above, a case-by-case analysis is required to determine whether the organisation is actually processing the data on behalf of the controller.
Controller to Processor Relationship
- Controllers have the primary responsibility for compliance with the GDPR due to the accountability principle and other obligations, which are imposed directly by the GDPR on controllers. Controllers must only engage processors that provide sufficient guarantees that the processing will meet GDPR requirements. Completing this assessment could include the processor making available certain documents to the controller (e.g. privacy notice, security standards, external audits etc.) for review and the controller should consider the processor’s knowledge, resources and reliability in carrying out its review. This will be a risk-based assessment made on a case-by-case basis and the EDPB notes that the assessment should be undertaken at appropriate intervals (not only at the onboarding stage) and through the use of audits and inspections (where appropriate).
- The obligation to ensure the provision of sufficient guarantees also applies to granting authorisation for processors to engage sub-processors. From a practical perspective, this means that controllers should build an additional layer into their due diligence process when engaging service providers who, in turn, engage sub-processors.
- Article 28 GDPR requires a written contract to be put in place governing the processing between a controller and processor. The EDPB clarifies that this obligation applies to both the controller and the processor. This contract should not merely restate the provisions of the GDPR and instead should include more specific, concrete information as to how the requirements will be met in practice and the data security measures to be adopted by the processor. See our recently published blog which sets out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors to ensure compliance with Article 28 GDPR.