EDPB Publishes Guidelines on the GDPR Concepts of Controller, Joint Controller and Processor
On September 2, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on the concepts of “controller” and processor” under the GDPR. Although the GDPR did not change the definitions of “controller” and “processor”, the EDPB’s guidelines aim to clarify these critical concepts by providing concrete examples with respect to each, and specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.
The European Data Protection Board (EDPB) has recently published draft Guidelines on specific concepts used by EU General Data Protection Regulation (“GDPR”). These new instructions replace the previously issued opinion of the Article 29 Working Party on the concepts of “controller” and “processor” and assure a consistent and harmonized approach within all Member States.
While the definitions of “controller” and “processor” have not been changed by the data protection legal framework, an impact upon these roles might be implicit from the new obligations introduced for them and from the new ruling of the Court of Justice of the European Union which has stated the concept of joint controllership.
The need to provide sufficiently clear explanations on what “controller” or “processor” mean is emphasized by the role played by these parts in the application of the GDPR. The two concepts are responsible for compliance with different data protection rules and how data subjects can exercise their rights.
As a general view, a controller is a body that must decide on both purposes and means of data processing, always being responsible for key elements. On the other hand, a processor is a natural or legal person which processes personal data on behalf of the controller and according to the controller’s instructions.
Few takeaways from the new Guideline emphasize the following key aspects that come as in-depth explanations on the two concepts:
- Joint controllership is considered when more actors are involved in data processing, respectively when joint participation of two or more entities which are involved in both decisions regarding the purposes and means of a processing operation takes place;
- With regards to the relationship between a controller and a processor, one should always consider the need to conclude a written contract or any other legal act which governs their relationship;
- A clear line must be drawn between the responsibilities which a controller and a processor fulfil in order to establish which decisions can be taken by each of them. It is clearly stated that a controller must always decide on both purpose and means of the processing, but there shall be situations when the processor might also be able to make certain decisions on practical aspects (i.e. the choice of security measures or the type of hardware used for data processing) with respect to how to carry out the processing. This is why the Guidelines bring to light the difference between essential and non-essential means as a criterion of distinction;
- Essential means are only in the hands of the controller and are essentially related to the purpose and the scope of the processing while non-essential means concern more practical aspects of implementation which can be left to be decided by the processor;
- a controller might either fulfil a single controlling operation or a set of operations. Therefore, a controller can be involved in one or multiple controlling stages;
- Moreover, a controller who outsources a processing activity holds the influence on the means and purpose of the controlling activity but does not need to have actual access to data to be qualified as such;
- With regards to what entity can fulfil the role of a processor, the Guideline highlights that the processor must be a separate legal entity in relation to the controller. In order to understand the link between these concepts, it is expressly stated that while the controller can be a company within a group within which the processor is another company, however, a department within a company cannot be a processor for another department within that same company.
The Guideline is still under consultation until October 19, 2020 and EU supervisory authorities encourage any interested parties to contribute to the consultation by providing comments on the Guidelines.