On the 2nd of September 2020, the European Data Protection Board (EDPB) adopted the updated Guidelines 07/2020 on the concepts of controllers and processors in the GDPR. This document builds upon the Article 29 Working Party opinion 1/2010 (WP169) and provides more developed and specific clarifications of these concepts. The guidelines provide additional pragmatic insights focusing on the importance of context and influence which determines in many cases the relationship between parties.
In the first part of the guidelines, the EDPB provides clarifications on the roles and responsibilities of the following concepts:
- Since the role of the controller is crucial for the purposes of accountability, it should be interpreted in a ‘sufficiently broad way’. This should ensure the full effect of the EU data protection legislation, avoiding legal lacunae and preventing possible circumvention of the law.
- Controllers’ decision-making power over the purposes and means of the processing is independent to the fact he or she has actual access to the data. The EDPB provides the example of a company that maintains its role as a controller over the processing of marketing research, even if such service is provided by another party and it has no access to the personal data involved.
- Additionally, the EDPB introduces the concept of ‘essential means’ to clarify the objects of controllers’ decision-making power. Examples of ‘essential means’ that must be determined by the controller include the types of personal data processed, the duration of the processing, the categories of data subjects, and the categories of recipients. ‘Non-essential means’ concern practical aspects of the processing, such as the security measures in place, and may be left to the processor.
- To be qualified as joint controllers, two or more entities must jointly participate in the determination of purposes and ‘essential’ means of the processing.
- This joint determination can take the form of a common decision or a converging decision between them. For a decision to be converging the processing should not be possible without the participation of all parties.
- Joint controllership can also be established where the entities have different but correlated purposes and there is mutual benefit arising from the processing operation.
- In light of CJEU case law, the joint determination of the means of the processing can be established where one party uses a tool or platform developed by another party for its own purposes. This does not imply that the use of a common data processing system will lead to qualifying the parties involved as joint controllers.
- A processor must be a ‘separate entity’ (i.e., external) in relation to the controller. A department within a company or its own staff, cannot generally be processors to the same company.
- A processor is called to process personal data ‘on the controller’s behalf’, implementing the instructions of the controller in relation to purposes and ‘essential means’. The lawful basis of the processing will also be derived from the controller’s activity.
- Where the processor is a service provider, he or she must present the service in a detailed way, allowing the controller to make the final decision to actively approve the way the processing is carried out and to request changes if necessary.
In the second part, the EDPB focuses on the relationships between the concepts above, digging into the consequences attached to each role:
Relationship between controller and processor
- Controllers are responsible for the ‘continuous’ assessment of whether a processor provides sufficient guarantees to implement the processing operation in a way that satisfies the requirements of the GDPR. This will often require an exchange of relevant documentation, generally to allow the processor to demonstrate its suitability or to enable the controller to provide additional instruction to the processor.
- Data processing agreements between controllers and processors should contain detailed references of the security measures to be adopted, an obligation on the processor to obtain controller’s approval before changing them, and a regular review to ensure their appropriateness.
- If the data processing agreement contains a general authorisation to the use of sub-processors, processors should provide a list of sub-processors in an annex to the contract.
Consequences of joint controllership
- There can be a certain degree of flexibility in the distribution and allocation of obligations among joint controllers, as each controller ensures its joint processing activities are carried out in compliance with data protection law
- The allocation of responsibilities should take into consideration the competences of the parties, as well as which party is in the best position to comply with the obligations. This should be documented for accountability purposes.
- Each controller is responsible for ensuring that it has a valid legal basis for its processing.
- The essence of the arrangement between joint controllers shall be made available to data subjects. The EDPB recommends that this should at least cover which joint controller is responsible for the compliance of all elements of the information referred to in Article 13 and 14 of the GDPR.
Due to the complexity of its application and the lack of legal precedence, in practice, both controllers and processors are faced with a number of challenges when establishing the extent of their respective responsibilities and ensuring ongoing governance between the parties. Trilateral Research’s Data Protection and Cyber-risk team offer data sharing agreement services to help organisations ensure compliance with the relevant obligations covered by these guidelines. For more information please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.
Further reading: Data protection roles in health research: Controllers vs Processors