Home > News > EDPB revisits concepts of controller and processor - Key takeaways from the Guidelines 07/2020
Print pageprint Stay Informedprint

NEWS

EDPB revisits concepts of controller and processor - Key takeaways from the Guidelines 07/2020

calendar_new
29/09/2020

The European Data Protection Board (“EDPB”) has revisited the concepts of “controller” and “processor” in its Guidelines 07/2020 of 2 September 2020 (“Guidelines”). The Guidelines replace the previous opinion 1/2010 (WP169) of the Working Party 29 on these concepts.


Throughout the Guidelines the EDPB emphasizes that the qualification of a party as controller, processor or joint controller(s) depends on the actual activities in a specific situation. It concerns functional concepts that aim to allocate responsibilities according to the actual roles of the parties. Contractual arrangements that parties made in this regard will not be binding to the authorities and/or courts that have to decide on the qualification.


What we have noticed in practice is that companies in 2018, under pressure to be compliant by the deadline of 25 May 2018, have sometimes not taken sufficient time to bring the actual processing activities in scope and, hence, did not determine correctly who will act as (joint) controller or processor. Companies rather opted for including a standard clause in all of their agreements, sometimes artificially qualifying the parties as the one or the other. We believe these Guidelines should be seen as an invitation for companies to revisit their own qualification vis-à-vis the different processing activities that take place in the context of their business activities and to be(come) compliant.


We have listed some key takeaways from the Guidelines here below:

 

REGARDING THE QUALIFICATION AS “CONTROLLER”: 

  • it is usually the organisation as such and not an individual within the organisation (such as the CEO, DPO, an employee or a member of the board), that acts as controller;
 
  • the same entity may act as controller for certain processing activities and as processor for others, and the qualification has to be assessed with regard to each processing activity;
 
  • the controller has decision making power regarding key aspects of the processing, either by law (where the law determines it explicitly or implicitly where the law establishes a task or imposes a duty on someone to collect and process personal data) or by its factual influence (meaning that it a.o. determines the purpose (the “why”) and the means (the “how”) of the processing activity);
 
  • the control can extend to the entirety of the processing at issue but may also be limited to a particular stage in the processing;
 
  • it is not necessary that the controller actually has access to the personal data that is being processed;
 
  • it is possible that when engaging a processor, the latter also has some margin of manoeuvre to make decisions regarding the means (the purpose shall always be determined by the controller);
 
  • a distinction is made between “essential means” (e.g. types of personal data that are processed, duration, categories of recipients and data subjects) and “non-essential means” (e.g. practical aspects of the implementation, such as type of hardware or software used or security measures taken). Essential means are decided by the controller, the decision regarding non-essential means may be delegated to the processor.
 
 
REGARDING THE QUALIFICATION AS “PROCESSOR”:
 
  • the two main conditions for qualifying as processor are: (i) being a separate entity (meaning that the controller decides to delegate all or part of its processing activities to an external organisation) and (ii) processing the personal data on the controller’s behalf (meaning that the processor processes the personal data for the benefit of the controller and in accordance to the latter’s instructions);
 
  • it is prohibited for the processor to determine the purposes of the processing;
 
  • some degree of discretion is left to the processor to determine how best to serve the controller’s interests, for example by choosing the most suitable technical and organisational means;
 
  • within a group of companies, one company can act as processor for another group company acting as controller;
 
  • employees or temporarily employed staff (for example consultants) are not to be seen as processors since they will process personal data as a part of the controller’s entity;
 
  • one can still be deemed a processor even if the processing of personal data is not the main object of the service provided (e.g. an IT service provider, providing general support on the customer’s IT systems);
 
  • the data processing agreement should be concluded between the controller and processor in writing. The EDPB recommends ensuring that the necessary signatures are included. The data processing agreement should not merely restate the provisions of the GDPR, rather it should include more specific, concrete information as to how the requirements will be met and which level of security is required.
 
REGARDING THE QUALIFICATION AS “JOINT CONTROLLERS”:
 
  • joint controllership shall exist where two or more parties jointly exercise control over the processing activity(ies), understood as “together with” or “not alone”, being the joint participation in the determination of the purposes and means;
 
  • joint participation can take the form of a common decision (i.e. deciding together and having a common intention) or result from converging decisions (i.e. decisions that complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing);
 
  • an important criterion to determine whether there are converging decisions, is whether the processing would not be possible without both parties’ participation meaning that the processing by each party is inextricably linked;
 
  • the fact that one party does not have access to the personal data that is being processed, does not suffice to exclude joint controllership;
 
  • joint controllership does not necessarily imply equal responsibility of the various operators involved in the processing of personal data;
 
  • the mere existence of a mutual benefit (for example a commercial advantage) arising from a processing activity or the use of a common data processing system or infrastructure does not automatically give rise to joint controllership;
 
  • for the sake of legal certainty and to provide transparency and accountability, the EDPB recommends that the arrangements between joint controllers are made in the form of a contract (or other legally binding document).
 
 

Throughout the Guidelines, the EDPB has included many examples to provide guidance on how to interpret the different key takeaways.


The Guidelines can be consulted here. 
For more information in this regard, you can always contact Dorien Taeymans (d.taeymans@liedekerke.com).