The EDPB recently published draft guidelines on the concepts of controller and processor within the meaning of the GDPR. These guidelines were subject to public consultation until October 19, 2020 before utter finalisation.
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union (EU), and promotes cooperation between the EU data protection authorities.
The EDPB (established by the GDPR) replaces the “Article 29” Working Group on data protection, which in 2010 had adopted an opinion on the concepts of “controller” and “processor” in 2010, however within the meaning of Directive 95/46/EC. These concepts and the obligations resulting from Directive 95/46/EC, have since evolved with the entry into application of the GDPR while creating new obligations to be borne by both data controllers and processors. The European Court of Justice (EUCJ) has also ruled on the interpretation of these concepts and in particular on that of joint controllers.
The publication of these guidelines falls within an evolutive context and responds to a need for clarification.
The guidelines provide details and practical illustrations in order to grasp the qualification of controllership, joint controllership and processorship.
The guidelines provide that a controller is a body that decides certain key elements of the processing, the purposes and means of the processing, i.e. the why and how of the processing. Moreover, controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case, which the guidelines illustrate.
Interesting is that, it is precised that certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members), and that in many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances. It is also not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.
- Joint controllership
As the qualification as joint controllers may arise where more than one actor is involved in the processing, the guidelines confirm that the overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing.
The EDPB ultimately precises that the fact that several actors are involved in the same processing does not mean that they are necessarily acting as joint controllers of such processing. Not all kind of partnerships, cooperation or collaboration imply qualification of joint controllers as such qualification requires a case-by-case analysis of each processing at stake and the precise role of each entity with respect to each processing. As an example of non joint controllership, the EDPB states the following :
A company collects and processes personal data of its employees with the purpose of managing salaries, health insurances, etc. A law imposes an obligation on the company to send all data concerning salaries to the tax authorities, with a view to reinforce fiscal control. In this case, even though both the company and the tax authorities process the same data concerning salaries, the lack of jointly determined purposes and means with regard to this data processing will result in qualifying the two entities as two separate data controllers.
Two basic conditions for qualifying as a processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf. The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.
Contractual relationship between the parties
As regards the contractual relationship between the controller and processor, the GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR the EDPB recommends; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.
The legal form of the arrangement among joint controllers is not specified by the GDPR. For the sake of legal certainty, and in order to provide for transparency and accountability, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.