back

The European Data Protection Board published the long waited guidelines on the concepts of controller and processor in the GDPR

The European Data Protection Board (“EDPB”) published the long waited guidelines on the concepts of controller and processor in the GDPR (Guidelines 07/2020 on the concepts of controller and processor in the GDPR). The guidelines are not yet final and are open for public feedback until 19th of October 2020.

 

While the concepts of controller and processor in the GDPR have not changed compared to the earlier Data Protection Directive (95/46/EC), the entry into force of the GDPR has raised many questions and great uncertainty for organisations when defining these roles in practice. The guidelines include the concept of ‘joint controllership’ under the article 26 of the GDPR as well as the obligations for data processors under the article 28 of the GDPR.

 

The concepts of controller and processor play a crucial role in the application of the GDPR as they determine who shall be responsible for compliance with different obligations. It is therefore of paramount importance that the precise meaning of these concepts are sufficiently understood within any organisation that processes personal data.

 

So let’s take a closer look into the guidelines. As usual, we hope you find this post useful and would love to receive your comment or feedback regarding it in the social media.

 

1. Who is data controller?

 

A controller is defined in the Article 4(7) of the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

By looking at the definition, the GDPR provides five main building blocks for determining whether an organisation acts as a controller when processing personal data. The building blocks are 1) the natural or legal person, public authority, agency or other body, 2) that determines, 3) alone or jointly with others, 4) the purposes and means 4) of the processing of personal data which each shall be analysed briefly.

 

“the natural or legal person, public authority, agency or other body”

 

The first building block is pretty straightforward as in principle, there is no limitation as to the type of entity that may assume the role of a controller. While controller is usually an organisation, it might also be an individual or group of individuals.

 

“that determines”

 

The second building block refers to the controller’s influence over the processing of personal data and by virtue it means the controller’s exercise of decision-making power over the processing. A controller is the body, that decided certain key elements of the processing.

 

When assessing the roles in practice, one should always look at the specific processing operations in question and assess who determines them. This can be done by considering the following questions: “why is this processing taking place?” And “who decided that the processing should take place for a particular purpose”.

 

In some situations, the “determining body” can be easily identified, especially in situations where the control over the processing operation comes directly from a legal requirement (Union or Member State law). It is common, that the law establishes a task or imposes a duty on someone to collect and process personal data. The EDPB provides a practical example of this scenario:

 

A national law in Country X lays down an obligation for municipal authorities to provide social welfare benefits such as monthly payments to citizens. In order to carry out these payments, the municipal authority must collect and process personal data about the citizens. Even though the law does not explicitly state that the municipal authorities are controllers for this processing, the controllership follows implicitly from the legal provision.

 

In the absence of control arising from legal provisions, the qualification of a party as controller must be established on the basis of an assessment of the factual circumstances surrounding the processing.

 

A good rule of thumb is to remember that many business relationships can contain multiple processing operations and thus, multiple purposes. In other words, the same entity may act at the same time as controller for certain processing operations and as processor for others, and the qualification as controller or processor has to be assessed with regard to each specific processing activity.

 

The EDPB reminds that the contractual terms are not decisive in all circumstances, as this would simply allow parties to allocate responsibility as they see fit. As the EDPB points out, it is not possible either to become a controller or to escape controller obligations by simply drafting the contract in a certain way where the factual circumstances say something else.

 

“alone or jointly with others”

 

Article 4 of the GDPR recognises that the purposes and means of processing might be determined by more than one actor. In other words, several different entities could act as controllers for the same processing. Correspondingly, an organisation can still be a controller even if it does not make all the decisions regarding the purposes and means of processing (joint controllership).

 

“the purposes and means”

 

Determining the “purposes and means” of processing is one of the most crucial parts when assessing in which roles the organisations in hand are operating. A ‘purpose’ could be understood as “an anticipated outcome that is intended” and the ‘means’ as “how such outcome will be achieved”.

 

In simpler way, this can be done by assessing who decides “why” personal data will be processed  (the purpose) and “how” personal data will be processed to achieve the purpose (the means). In practice however, the processors often make certain decisions especially on “how” to carry out the processing. Therefore the EDPB recognises that some margin of manoeuvre may exist for the processor to be able to make some decisions and divides the ‘means’ of processing into two sub-parts: “essential means” and “non-essential means”.

 

The EDPB provides some examples of the essential means. These are the type of personal data which will be processed, the duration of the processing (how long personal data will be processed), the categories of recipients (who shall have access to the personal data) and the categories of data subjects (whose data will be processed). Correspondingly, the EDPB provides examples on the non-essential means of processing, such as the choice for a particular type of hardware or software.

 

“of the processing of personal data”.

 

Naturally, the purposes and means of the processing must relate to the processing of personal data. Anyone who decides to process data must carefully consider whether this includes personal data or not. Unfortunately, within this blog post we cannot provide a detailed guidance on the concept of personal data. However, the Article 29 working party (EDPB’s predecessor under the old data protection directive) has written an excellent opinion (Opinion 4/2007) on the concept of personal data which we recommend everyone to read. You will find the opinion here.

 

2. Who is data processor?

 

A processor is defined in the Article 4(8) of the GDPR as “a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller.

 

To assess whether a body qualifies as a processor, two basic conditions apply: 1) it must be a separate entity in relation to the controller and 2) it processes personal data on the controller’s behalf.

 

Acting “on behalf of” means that the processor servers only controller’s interests and implements the instructions given by the controller at least with regard to the purpose of the processing and the essential elements of the means. Acting “on behalf of” also means that the processor may not carry out any processing for its own purposes. As clarified in the article 28(10) of the GDPR, a processor infringes the GDPR by going beyond the controller’s instructions and determining its own purposes and means of processing. In such situations, the processor will be considered as a controller in respect of such processing and may be subject to monetary sanctions and lawsuits for a breach of contract between the controller.

 

The EDPB reminds that the role of a processor does not stem from the nature of an entity that is processing personal data but from its concrete activities in a specific context. Therefore a case-by-case analysis remains necessary when determining the roles between two organisations.

 

3. When are organisations deemed as ‘joint controllers’?

 

The definition of a controller forms the starting point for determining whether these is a joint controllership between two bodies. Joint controllership exists with regard to a specific processing activity when different parties determine jointly the purpose(s) and means of this processing activity. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a specific processing operation.

 

As always, the assessment should be carried out on a factual, rather than a formal, analysis. All existing and envisaged arrangements should be checked against the factual circumstances regarding the relationship between two bodies. It is not uncommon that the formal appointment does not reflect the reality of the arrangements.

 

Joint participation implies that more than one entity have a decisive influence over whether and how the processing of personal data takes place. The fact that one of the parties does not have access to personal data is not sufficient to exclude joint controllership. In case C‑25/17 (Jehovah’s Witnesses) the Court of Justice of the European Union (“CJEU”) found the religious community as a controller, jointly with its members, who carried out processing of personal data in the context of door-to-door preaching. The community did not have access to personal data but participated in the determination of purposes and means by organising and coordinating the activities of its members, which helped to achieve the objectives of the community.

 

In addition, the joint controllership can occur when the entities do not have the same purpose for processing but when such purposes are closely linked or complement each other. Such may be the case when there is a mutual benefit arising from the same processing operation, provided that each of the entities involved have participated in the determination of the purposes and means of the processing. In case C-40/17, the CJEU found a website operator as a controller, jointly with Facebook when embedding a social plug-in on its website. The CJEU found that the processing operations at issue were performed in the economic interests of both parties.

 

4. Why should we care about defining the roles in practice?

 

The concepts of controller and processor play a crucial role in the application of the GDPR as they determine who shall be responsible for compliance with different obligations. It is therefore of paramount importance that the precise meaning of these concepts are sufficiently understood within any organisation that processes personal data.

 

5. A flowchart for helping to determine the roles in practice