EDPB Draft Guidelines 07/2020 on the concepts of controller and processor
|14 OCTOBER 2020
On 2 September 2020, the European Data Protection Board (EDPB) adopted the Draft Guidelines on the concepts of controller and processor (Guidelines) to identify clear criteria for a correct interpretation of the concepts of controller, joint controllers and processor, as well as to clarify the roles and responsibilities. The Guidelines are currently open for public consultation.
The new Guidelines follow-up on the Article 29 Data Protection Working Party’ (WP29) Opinion 1/2010 on the concepts of controller and processor to reflect the substantial developments of the last decade. Further to the adoption of the GDPR, the definitions of controller and processor remain largely aligned with the previous framework. Nevertheless, the GDPR has introduced important new sets of obligations and responsibilities. The Guidelines take stock and elaborate on these developments, including, in particular, the notion of joint controllership as clarified by the EU Court of Justice’s caselaw, such as Fashion ID.
Definition of Controller
The Guidelines break down the GDPR definition in five main elements:
Definition of Joint Controllers
Joint controllership exists when different parties determine jointly the purpose and means of a processing activity. This joint determination may be in the form of a common decision taken by two or more entities or result from their converging decisions. It should be analyzed using a factual approach. In Wirtschaftsakademie, the CJEU held that the administrator of a fan page hosted on Facebook, by defining parameters based on its target audience and the objectives of managing and promoting its activities, is deemed to take part in the determination of the means of the processing of personal data related to the visitors of its fan page.
However, involvement in the same processing or using a common data processing system, will not in all cases lead to joint controllership. For example, if several research institutes participate in a joint research project using the same platform, each of them feeding personal data into the platform and using data provided by others, they will qualify as joint controllers. However, when one of them carries out processing outside the platform for its own purpose, it acts as a separate controller.
Consequences of Joint Controllership
Joint controllers shall in a transparent manner determine and agree on their respective responsibilities to comply with obligations under GDPR by means of an arrangement, preferably a contract or other binding document. The objective is to ensure that responsibility of each actor is clearly allocated, not necessarily in equal amount, as controllers may individually bear different obligations. For that reason, it is important to draft agreements allocating precisely each party’s responsibilities and liability in accordance with factual circumstances. Nevertheless, irrespective of the arrangement, data subjects may exercise their rights against each of the joint controllers. Supervisory authorities are not bound either by the terms of the agreement.
Definition of Processor
Further to the GDPR reform, processors are recipients of new significant obligations, for which they may be held liable in accordance with articles 28 and 82 of GDPR. A person or entity qualifies as processor where (i) it constitutes a separate entity in relation to the controller and (ii) processes personal data on the controller’s behalf. If a processor processes data outside or beyond the controller’s instructions, the processor breaches its obligations and will qualify as controller in respect of that processing.
The Guidelines recognize that a service provider may act as a processor even if the processing of personal data is not the main or primary object of the service, such as the case of an IT service provider performing general IT support. A case-by-case analysis remains necessary to correctly characterize the situation for GDPR purposes.
The GDPR introduced a clearer framework for engaging further sub-processors to govern the potentially long chain of actors involved in a given processing activity. Sub-processors can only be engaged upon prior authorization of the controller (general or specific) and the same obligations as those imposed on the first processor should be built in the respective contracts. Therefore, a homogenous set of obligations and safeguards should apply along the processing chain. This allows maintaining a record of parties involved and identify potential liabilities. Ultimately, the first processor remains fully liable towards the controller for the performance of the sub-processors’ obligations.
Relationship between Controller and Processor
When engaging a processor, the controller and processor must conclude a binding agreement, in the form of contract or other legal act, including standard contractual clauses (SCC). The act must be in writing and must clearly set out the processor’s obligations. Two years on, such agreements (“data processing agreements”) should not simply restate provisions of the GDPR. Rather, they should be drafted in light of the specific data processing activity and provide all relevant elements, including those concerning the risks to the rights and freedoms of data subjects arising from the processing. Interpreting article 28 of GDPR, the Guidelines set out the following basic set of elements that should be included:
(i) Specific subject-matter (e.g. video recordings of people entering and leaving a facility);
(ii) Duration of the processing;
(iii) Nature and purpose of the processing (e.g. video recording to detect unlawful entry);
(iv) Type of personal data, specified in the most detailed manner possible (e.g. video images of individuals as they enter and leave a facility);
(v) Categories of data subjects (e.g. visitors, employees, etc.);
(vi) Obligations and rights of the controller.
Pursuant to article 28(3) of GDPR, in case the processor deems that the controller’s instructions infringe data protection law, the processor may disregard the controller’s instructions upon promptly informing the controller. The EDPB recommends that the parties negotiate and agree by contract the consequences of notifying an infringing instruction and of the controller’s potential inaction in that regard, for instance by inserting a clause of termination of the contract if the controller persists with an unlawful instruction.
Definition of Third Party and Recipient
For GDPR purposes, a third party is a person or entity other than a data subject, a controller, a processor or a person who, under the direct authority of the controller or processor is authorized to process personal data (such as an employee). A recipient, more generally, is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. If a third party or recipient carries out any processing for its own purpose after it receives the personal data, it will be considered a controller.
Concluding Remarks and Actions
In terms of definitions, the Guidelines do not introduce major changes and largely reflect the developments of the GDPR and of the CJEU’s caselaw. The controller retains a crucial role and bears primary responsibility for processing vis-à-vis data subjects. Under the GDPR framework, processors also face significant obligations and potential scrutiny, to be carefully laid down in detailed contractual terms. Consequently, some operators may be required to review their agreements or amend them to become more circumstantial and tailored to the specifics of a particular data processing activity. It is clear that such exercise can no longer be treated as a mere formality and must reflect faithfully the reality of processing activities.
One significant aspect missing in the Guidelines are the arrangements of liability between controllers and processors, a crucial element of negotiations between the parties, which may often be guided by commercial aspects and power relations between the parties.
The new Guidelines are a useful introductory instrument, however, they are not sufficient in themselves to comprehensively draft and negotiate a data processing agreement. In this context, your company should consider taking the following actions:
§ If you rely on external service providers to process personal data, verify that such services are contractually covered by a data processing agreement (DPA) in addition to the commercial contract;
§ Review your DPAs to clearly and accurately reflect the details of each processing activity;
§ Review your DPAs with the view of clearly identifying each party’s tasks, responsibilities, liabilities and their limits;
§ In particular, issues that should be considered at the negotiation stage include:
§ Processes for data breach notifications;
§ Processes for notification or request of authorization of new sub-processors;
§ Processes to deal with potentially unlawful instructions;
§ Data transfers to third countries;
§ Data exit plans.
Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.