EDPB Draft Guidelines 07/2020 on the concepts of controller and processor

On 2 September 2020, the European Data Protection Board (EDPB) adopted the Draft Guidelines on the concepts of controller and processor (Guidelines) to identify clear criteria for a correct interpretation of the concepts of controller, joint controllers and processor, as well as to clarify the roles and responsibilities. The Guidelines are currently open for public consultation.

The new Guidelines follow-up on the Article 29 Data Protection Working Party’ (WP29) Opinion 1/2010 on the concepts of controller and processor to reflect the substantial developments of the last decade. Further to the adoption of the GDPR, the definitions of controller and processor remain largely aligned with the previous framework. Nevertheless, the GDPR has introduced important new sets of obligations and responsibilities. The Guidelines take stock and elaborate on these developments, including, in particular, the notion of joint controllership as clarified by the EU Court of Justice’s caselaw, such as Fashion ID.

Definition of Controller

The Guidelines break down the GDPR definition in five main elements:

1. “The natural or legal person, public authority, agency or other body”. This includes organizations, individuals or a group of individuals. Companies and public bodies may appoint an individual responsible for processing operations, this person will not be deemed as a controller as long as he or she acts on behalf of the legal entity.
2. “Determines”. This entails decision-making power regarding key elements about data processing. Usually, the determining body can be identified by reference to (i) certain legal provisions or (ii) factual influence. The law may identify who is acting as controller explicitly or implicitly, by imposing a duty on someone to collect and process certain data for a specific purpose. For example, if national law lays down an obligation for municipal authorities to provide social welfare benefits to citizens depending on their financial situation, the municipal authorities must collect and process data about the applicants’ financial circumstances and will be considered a controller in that respect. When control stems from factual influence, the qualification has to be assessed with regard to each specific data processing activity. For example, a law firm representing a client decides what personal data relating to its case to use and how. The  law firm’s processing is linked to its functional role and will constitute controllership.
3. “Alone or jointly with others”. If more than one entity determines the purposes and means of the processing, each of those different entities act as a controller for the same processing and each of them will be subject to applicable data protection provisions.
4. “The purposes and means”. The controller determines why the processing is taking place and how to reach this objective. Nevertheless, certain decisions can be left to the processor’s discretion. The Guidelines underline the difference between (a) essential means, such as the type of personal data processed, the duration of the processing and the categories of recipients which are reserved to the controller; and (b) non-essential means, i.e. practical aspects of implementation, such as the choice of a particular type of hard- or software or detailed security measures, which may be left to the processor’s decision.
5. “Of the processing of personal data”. An actor will be considered a controller even if he does not deliberately target personal data as such or has wrongfully assessed that it does not process personal data, in accordance with recent findings of the CJEU in Jehova’s Witnesses and VQ v Land Hessen. Additionally, it is not necessary that the controller actually has access to the data processed, but that it has a determinative influence on the purpose and (essential) means of the processing. For example, a company hires a service provider to obtain information on which types of consumers are most likely to be interested in its products, based on a list of questions for market research. The company is a controller even though it receives only statistical information from the service provider and does not access the personal data themselves, because it decides on the processing and its purposes and imparts detailed instructions to the service provider.

Definition of Joint Controllers

Joint controllership exists when different parties determine jointly the purpose and means of a processing activity. This joint determination may be in the form of a common decision taken by two or more entities or result from their converging decisions. It should be analyzed using a factual approach. In Wirtschaftsakademie, the CJEU held that the administrator of a fan page hosted on Facebook, by defining parameters based on its target audience and the objectives of managing and promoting its activities, is deemed to take part in the determination of the means of the processing of personal data related to the visitors of its fan page.

However, involvement in the same processing or using a common data processing system, will not in all cases lead to joint controllership. For example, if several research institutes participate in a joint research project using the same platform, each of them feeding personal data into the platform and using data provided by others, they will qualify as joint controllers. However, when one of them carries out processing outside the platform for its own purpose, it acts as a separate controller.

Consequences of Joint Controllership

Joint controllers shall in a transparent manner determine and agree on their respective responsibilities to comply with obligations under GDPR by means of an arrangement, preferably a contract or other binding document. The objective is to ensure that responsibility of each actor is clearly allocated, not necessarily in equal amount, as controllers may individually bear different obligations. For that reason, it is important to draft agreements allocating precisely each party’s responsibilities and liability in accordance with factual circumstances. Nevertheless, irrespective of the arrangement, data subjects may exercise their rights against each of the joint controllers. Supervisory authorities are not bound either by the terms of the agreement.

Definition of Processor

Further to the GDPR reform, processors are recipients of new significant obligations, for which they may be held liable in accordance with articles 28 and 82 of GDPR.  A person or entity qualifies as processor where (i) it constitutes a separate entity in relation to the controller and (ii) processes personal data on the controller’s behalf. If a processor processes data outside or beyond the controller’s instructions, the processor breaches its obligations and will qualify as controller in respect of that processing.

The Guidelines recognize that a service provider may act as a processor even if the processing of personal data is not the main or primary object of the service, such as the case of an IT service provider performing general IT support.  A case-by-case analysis remains necessary to correctly characterize the situation for GDPR purposes.

The GDPR introduced a clearer framework for engaging further sub-processors to govern the potentially long chain of actors involved in a given processing activity. Sub-processors can only be engaged upon prior authorization of the controller (general or specific) and the same obligations as those imposed on the first processor should be built in the respective contracts. Therefore, a homogenous set of obligations and safeguards should apply along the processing chain. This allows maintaining a record of parties involved and identify potential liabilities. Ultimately, the first processor remains fully liable towards the controller for the performance of the sub-processors’ obligations.

Relationship between Controller and Processor

When engaging a processor, the controller and processor must conclude a binding agreement, in the form of contract or other legal act, including standard contractual clauses (SCC). The act must be in writing and must clearly set out the processor’s obligations. Two years on, such agreements (“data processing agreements”) should not simply restate provisions of the GDPR. Rather, they should be drafted in light of the specific data processing activity and provide all relevant elements, including those concerning the risks to the rights and freedoms of data subjects arising from the processing. Interpreting article 28 of GDPR, the Guidelines set out the following basic set of elements that should be included:

(i)           Specific subject-matter (e.g. video recordings of people entering and leaving a facility);

(ii)          Duration of the processing;

(iii)         Nature and purpose of the processing (e.g. video recording to detect unlawful entry);

(iv)         Type of personal data, specified in the most detailed manner possible (e.g. video images of individuals as they enter and leave a facility);

(v)          Categories of data subjects (e.g. visitors, employees, etc.);

(vi)         Obligations and rights of the controller.

Pursuant to article 28(3) of GDPR, in case the processor deems that the controller’s instructions infringe data protection law, the processor may disregard the controller’s instructions upon promptly informing the controller. The EDPB recommends that the parties negotiate and agree by contract the consequences of notifying an infringing instruction and of the controller’s potential inaction in that regard, for instance by inserting a clause of termination of the contract if the controller persists with an unlawful instruction.

Definition of Third Party and Recipient

For GDPR purposes, a third party is a person or entity other than a data subject, a controller, a processor or a person who, under the direct authority of the controller or processor is authorized to process personal data (such as an employee). A recipient, more generally, is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. If a third party or recipient carries out any processing for its own purpose after it receives the personal data, it will be considered a controller.

Concluding Remarks and Actions

In terms of definitions, the Guidelines do not introduce major changes and largely reflect the developments of the GDPR and of the CJEU’s caselaw. The controller retains a crucial role and bears primary responsibility for processing vis-à-vis data subjects. Under the GDPR framework, processors also face significant obligations and potential scrutiny, to be carefully laid down in detailed contractual terms. Consequently, some operators may be required to review their agreements or amend them to become more circumstantial and tailored to the specifics of a particular data processing activity. It is clear that such exercise can no longer be treated as a mere formality and must reflect faithfully the reality of processing activities.

One significant aspect missing in the Guidelines are the arrangements of liability between controllers and processors, a crucial element of negotiations between the parties, which may often be guided by commercial aspects and power relations between the parties.

The new Guidelines are a useful introductory instrument, however, they are not sufficient in themselves to comprehensively draft and negotiate a data processing agreement. In this context, your company should consider taking the following actions:

§  If you rely on external service providers to process personal data, verify that such services are contractually covered by a data processing agreement (DPA) in addition to the commercial contract;

§  Review your DPAs to clearly and accurately reflect the details of each processing activity;

§  Review your DPAs with the view of clearly identifying each party’s tasks, responsibilities, liabilities and their limits;

§  In particular, issues that should be considered at the negotiation stage include:

§  Processes for data breach notifications;

§  Processes for notification or request of authorization of new sub-processors;

§  Processes to deal with potentially unlawful instructions;

§  Data transfers to third countries;

§  Data exit plans.

Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.