On September 7, 2020, the European Data Protection Board (“EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines aim to (1) clarify the concepts of controller, joint controllers, processor, third party and recipient under the GDPR by providing concrete examples with respect to each; and (2) specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.
Background
The concepts of controller and processor play a crucial role in the application of the GDPR since they determine who is responsible for compliance with the GDPR obligations and how individuals (“data subjects”) can exercise their data protection rights in practice. The concepts of controller and processor have not changed compared to the previous EU data protection framework (Directive 95/46/EC). However, the GDPR has introduced new obligations on those actors. In addition, the Court of Justice of the European Union (“CJEU”) in recent rulings has clarified the concept of joint controllership and its implications. These new obligations paired with the CJEU rulings gave rise to many questions regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles. The Guidelines seek to address these questions and ensure a consistent and harmonized approach in the application of the concepts throughout the European Economic Area.
The Guidelines consist of two parts: the first part explains the different concepts, while the second part provides detailed guidance on the main consequences of the concepts for controllers, processors and joint controllers. The Guidelines also include a flow chart to provide further practical guidance.
Below is a summary of the key takeaways from the Guidelines.
Controller
- The concept of controller should be interpreted in a sufficiently broad way so as to ensure full effect of EU data protection law.
- It is not necessary that controllers have access to the personal data.
- Controllers must determine both the purposes and means of the processing of personal data (i.e., the “why” and “how” the data is processed). Accordingly, if an organization only determines the purpose of the processing, this will not be sufficient to qualify the organization as a controller. To be considered a controller, the organization also will have to determine “essential” means of the data processing (e.g., the type of personal data processed, the duration of the data processing, the categories of data recipients and the categories of data subjects). Conversely, decisions on “non-essential” means of the data processing can be left to the processor (e.g., the type of IT systems or other technical means to use for the data processing or the details of the security measures to be implemented based on the general security objectives set by the controller).
Joint Controllers
- The qualification as joint controllers implies the joint participation of two or more entities in the determination of the purposes and means of a data processing activity (i.e., two or more entities must jointly determine both the purposes and “essential” means of the data processing).
- Joint participation can take the form of a common decision by two or more entities on the purposes and means of the data processing or simply result from converging decisions on those purposes and means. An important criterion to identify converging decisions in this context is whether the data processing would not be possible without both parties’ participation (i.e., the processing by each party is inextricably linked).
- In practice, joint controllership may arise where the parties pursue purposes that are closely linked or complementary (e.g., where there is a mutual benefit arising from a data processing operation, provided that each party also participates in the determination of the means of the data processing).
- The parties may jointly determine the means of the data processing when they use a platform or standardized tool that has been set up in a certain way by one of the parties and made available to the others, who also can decide on how to set it up.
Processor
- Processors may have a certain discretion about how to serve the controller’s interests (e.g., by choosing the appropriate technical and organizational means of the data processing). However, processors can never determine the purpose of the data processing. A processor will infringe the GDPR if it goes beyond the controller’s instructions and starts determining its own purposes and means of processing.
- Nothing prevents processors from offering a preliminary defined service but the controller must make the final decision to actively approve the way the data processing is carried out and must be able to request changes, if necessary. Processors cannot at a later stage change the essential elements of the processing without the approval of the controller.
Controller/Processor Relationship
- Controllers must only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures. When assessing a processor’s guarantees, controllers should take into account the processor’s expert knowledge, reliability and resources. This assessment should be carried out at appropriate intervals, and not only at the onboarding stage.
- The data processing agreement that the controller and processor must execute in accordance with Article 28 of the GDPR must not simply restate the provisions of the GDPR. Rather, the data processing agreement should include more specific and concrete information as to how the GDPR requirements will be met in practice. In particular, the contract should specify the data security measures adopted by the processor, impose an obligation on the processor to obtain the controller’s approval before making any changes to the list of security measures and a regular review of those measures to allow the controller to assess their appropriateness.
- Similarly, the data processing agreement should contain details as to how the processor will help the controller meet its obligations under Articles 32-36 of the GDPR (i.e., obligations related to the security of the personal data, data breach notifications and data protection impact assessments).
- Further, when the controller provides a general authorization to the processor to engage sub-processors, such authorization should be supplemented with criteria to guide the processor’s choice (e.g., guarantees in terms of technical and organizational measures, expert knowledge, reliability and resources)
Relationship Among Joint Controllers
- Joint controllers must determine and agree on their respective responsibilities for complying with the GDPR. Although the GDPR is not prescriptive about the form of such an arrangement, the Guidelines recommend that it take the form of a binding document, such as a contract.
- In terms of content, this arrangement should cover not only the parties’ obligations to provide notice and comply with data subject rights requests but also their other obligations as controllers under the GDPR, such as (1) the implementation of the GDPR fundamental data protection principles; (2) the obligation to have a proper legal basis for the data processing; (3) the implementation of data security measures; (4) the obligation to notify personal data breaches to the competent supervisory authority and affected data subjects; (5) the obligation to conduct data protection impact assessments where applicable; (6) the use of a processor; (7) the obligation to ensure compliance with the cross-border data transfer restrictions; and (8) the organization of contact with data subjects and supervisory authorities.
- The allocation of responsibilities between the joint controllers should take into account factors, such as which party is in the best position to comply with those obligations. These factors and the parties’ internal assessment for the allocation of their responsibilities should be documented for accountability purposes.
- The GDPR obligations do not need to be equally distributed among joint controllers. In some cases, all joint controllers may need to comply with the same GDPR obligations. For example, each joint controller must ensure that they have a legal basis for the processing and that the data is not further processed in manner that is incompatible with the purposes for which the data was originally collected by the controller sharing the data.
- The GDPR further requires that the “essence” of the arrangement between the joint controllers be made available to data subjects. That essence should cover at least all the elements of information required by Articles 13 and 14 of the GDPR (i.e., the parties should specify which joint controller is responsible for each of these elements). It is then up to the joint controllers to decide the most effective way to make this information available to data subjects (e.g., in their privacy policy or upon request from data subjects to the data protection officer, if any, or to the contact point the parties have designated).
The Guidelines are open to public consultation until October 19, 2020. EU supervisory authorities encourage any interested parties to contribute to the consultation by providing comments on the Guidelines.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code