Updated EDPB Guidance on Controllers and Processors – Part 1

On 2nd September 2020, the EU Data Protection Board adopted their new guidance document on data controllers and data processors. In many ways this has been a long time coming, with the only previous guidance consisting of an Article 29 Working Party Opinion, published in 2010 – years before the introduction of the GDPR. The guidance does not make any fundamental changes to the roles in law but seeks to clarify and expand upon the GDPR to provide some practical assistance to organisations. 

Your organisation’s role in the processing of personal dataInformation which relates to an identified or identifiable natural person.... – as a controller, processor, or joint controller – determines what responsibilities, obligations, and liabilities it has with respect to that processing. As such, it is essential that prior to processing, you are able to clearly identify the role you play. Whilst sounding simple, the complexities of data processing have meant that the lines between controller and processor have become increasingly blurred. Thus, this guidance is a timely reminder of how to distinguish between the two, as well as a source of important information regarding the responsibilities of each. 

The guidance is split into two distinct parts. First, it defines the three roles, and expands upon their responsibilities. Secondly, it considers the relationships between them and the agreements that govern these relationships. This first blog considers Part 1 of the guidance, and a second blog looks at Part 2. In each we seek to highlight the key areas where the EDPB has gone beyond what has previously been said before, and, more importantly, what this means for your organisation.  

Roles and Responsibilities – Controllers  

Defining the Controller  

The EDPB clarified two points about the requirements for an organisation to be defined as the controller: 

1. They do not have to be able to access the data being processed to qualify as the controller/joint controller. Where an organisation instructs a service provider to processA series of actions or steps taken in order to achieve a particular end.... personal data on their behalf, the organisation may be deemed the controller regardless of whether they actually receive any of the raw personal data. 
   • • For example, if an organisation employs a service provider to conduct market research on their behalf, the organisation may be a controller even if they only receive the statistical output that has been created from the personal data collected. 
2. They can be the controller for a whole processing flow or only for a particular stage in the processing flow. Here, the EDPB echoed a CJEU decision whereby it was held that a website with a Facebook ‘like’ button embedded into it that transmitted personal data to Facebook, was a joint controller with Facebook, but only in two stages of the processing: the collection and transmission of the personal data. 

Essential v non-essential decision making 

The definition of a controller provided in Article 4 GDPR states that it ‘determines the purposes and means of the processing of personal data’. Whilst the EDPB has reinforced that controllers must decide the purposes of processing, in terms of the means, they have drawn a distinction between the ‘essential’ and ‘non-essential’.  

• Essential – means that are closely linked to the purpose and the scope of processing e.g., the type of personal data to be processed  
• Non-essential – means relating to the practical aspects of implementation e.g., the type of software used 

The guidance states that whilst the controller must make any decisions relating to essential means, decisions relating to non-essential means can be left to the processor, provided they take such decisions in accordance with the general instructions given by the controller regarding the security of the personal data. Although this gives more control to the processor, the EDPB highlight that the controller still remains ultimately responsible for the processing being GDPR compliant and, crucially, they are the ones that must be able to demonstrate compliance. 

Roles and Responsibilities – Processors 

Separation 

The EDPB clarified that in order to qualify as a processor, an organisation must be a separate entity to the controller. Where data processing is done within the controller’s own organisation, perhaps in a different department, this situation does not amount to a controller-processor relationship and therefore no data processing agreement is required.  

Service providers 

The guidance highlights that determining whether a service provider is a processor is more complex than just considering what service they offer to their customers. Where the service provided is not specifically about processing data, or processing data is not a key aspect of the service, service providers may or may not still be processors: 

• Where the provider is actually able to determine the purpose and means of the processing that is required to provide their service, they would be a controller not a processor. 
  • • For example, a taxi service may process personal data through an online booking system as part of providing its service to customers. The processing is not a key aspect of the service, but it will be a controller as it decides what personal information to collect, how long to retain it for etc. 
• Conversely, where processing personal data is not a key aspect of the service provided, but the customer still determines the purposes and means of said processing, the service provider would be a processor.
  • • For example, a company may outsource its customer support to an external provider who has access to the company’s client database. Here, the customer support service is only allowed to process the personal data in the database for the purposes the company has instructed them to. 

Ultimately, the EDPB explains that whether a service provider is a processor or controller will depend upon whether they are processing on behalf of their customer or not. 

Roles and Responsibilities – Joint Controllers 

Common and converging decisions 

The EDPB clarified that organisations are not required to make a common decision about the purposes and means of processing to be classed as joint controllers, if they make converging decisions then this is enough.  

• Common decision: sitting down together to come to a conclusion 
• Converging decision: coming to conclusions independently but the result is that the processing would not be possible without all parties 

Complementary purposes 

Similarly, the purposes of the controllers do not have to be exactly the same, if they are closely linked or ‘complementary’ this is enough to trigger joint controllership. 

External tools/systems 

Following a CJEU case involving Facebook, the EDPB guidance suggests that if an entity uses a tool or system developed by another entity for its own purposes, this can give rise to joint controllership if both entities are pursuing their own interests and participating in deciding on the purposes and means of processing. 

Conclusion 

How helpful is this guidance? 

This new guidance from the EDPB is certainly to be welcomed as assigning the correct roles and responsibilities to different parties is only going to become more difficult as the complexity of data flows increase. However, the extent to which it has made this task easier is up for debate. A lot remains unanswered, most notably with regard to joint controllership and when this will arise. Furthermore, no instruction is given as to what should happen if parties disagree on whether they are joint controllers or not, a difficult scenario that is certainly going to arise in the future. Since the introduction of the GDPR, companies have appeared to be reluctant to consider themselves as joint controllers which is likely due to the lack of clarity surrounding the concept; this guidance is unlikely to change this trend.  

What do organisations need to do now?  

Organisations should use the additional information provided by the EDPB in this guidance to consider whether they have assigned themselves and their third parties the correct roles for the activities that they are performing. In particular, consideration needs to be paid to whether your organisation may be a joint controller with any third parties with which you process data.