On 7 September 2020, the European Data Protection Board (EDPB) issued draft guidelines on the concepts of controller and processor. The concepts play a crucial role in the application of the GDPR, as they determine who will be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.
The concepts have not changed compared to the Data Protection Directive 95/46/EC (now repealed) and the general criteria for how to attribute the different roles remain the same. However, the EDPB acknowledges the necessity of providing clarification on these concepts under the GDPR. Since the entry into force of the GDPR, many questions have arisen in relation to the implications of the concept of joint controllership (under Article 26 GDPR), and the specific obligations for processors (under Article 28 GDPR). The guidelines replace the previous Opinion of the Article 29 Working Party on the concepts of controller and processor (Opinion 1/2010).
In part I, the guidelines discuss the definitions of the concepts of controller, joint controllers, processor, and third party/recipient. Part II considers the consequences that are attached to the different roles. The guidelines also contain helpful examples of the circumstances when an entity is a controller, joint controller or processor.