On 2nd September 2020, the EU Data Protection Board adopted their new guidance document on data controllers and data processors. In many ways this has been a long time coming, with the only previous guidance consisting of an Article 29 Working Party Opinion, published in 2010 – years before the introduction of the GDPR. The guidance does not make any fundamental changes to the roles in law but seeks to clarify and expand upon the GDPR to provide some practical assistance to organisations.
Your organisation’s role in the processing of Information which relates to an identified or identifiable natural person.... – as a controller, processor, or joint controller – determines what responsibilities, obligations, and liabilities it has with respect to that processing. As such, it is essential that prior to processing, you are able to clearly identify the role you play. Whilst sounding simple, the complexities of data processing have meant that the lines between controller and processor have become increasingly blurred. Thus, this guidance is a timely reminder of how to distinguish between the two, as well as a source of important information regarding the responsibilities of each.
The guidance is split into two distinct parts. First, it defines the three roles, and expands upon their responsibilities. Secondly, it considers the relationships between them and the agreements that govern these relationships. This first blog considers Part 1 of the guidance, and a second blog looks at Part 2. In each we seek to highlight the key areas where the EDPB has gone beyond what has previously been said before, and, more importantly, what this means for your organisation.
Roles and Responsibilities – Controllers
Defining the Controller
The EDPB clarified two points about the requirements for an organisation to be defined as the controller:
Essential v non-essential decision making
The definition of a controller provided in Article 4 GDPR states that it ‘determines the purposes and means of the processing of personal data’. Whilst the EDPB has reinforced that controllers must decide the purposes of processing, in terms of the means, they have drawn a distinction between the ‘essential’ and ‘non-essential’.
The guidance states that whilst the controller must make any decisions relating to essential means, decisions relating to non-essential means can be left to the processor, provided they take such decisions in accordance with the general instructions given by the controller regarding the security of the personal data. Although this gives more control to the processor, the EDPB highlight that the controller still remains ultimately responsible for the processing being GDPR compliant and, crucially, they are the ones that must be able to demonstrate compliance.
Roles and Responsibilities – Processors
The EDPB clarified that in order to qualify as a processor, an organisation must be a separate entity to the controller. Where data processing is done within the controller’s own organisation, perhaps in a different department, this situation does not amount to a controller-processor relationship and therefore no data processing agreement is required.
The guidance highlights that determining whether a service provider is a processor is more complex than just considering what service they offer to their customers. Where the service provided is not specifically about processing data, or processing data is not a key aspect of the service, service providers may or may not still be processors:
Ultimately, the EDPB explains that whether a service provider is a processor or controller will depend upon whether they are processing on behalf of their customer or not.
Roles and Responsibilities – Joint Controllers
Common and converging decisions
The EDPB clarified that organisations are not required to make a common decision about the purposes and means of processing to be classed as joint controllers, if they make converging decisions then this is enough.
Similarly, the purposes of the controllers do not have to be exactly the same, if they are closely linked or ‘complementary’ this is enough to trigger joint controllership.
Following a CJEU case involving Facebook, the EDPB guidance suggests that if an entity uses a tool or system developed by another entity for its own purposes, this can give rise to joint controllership if both entities are pursuing their own interests and participating in deciding on the purposes and means of processing.
How helpful is this guidance?
This new guidance from the EDPB is certainly to be welcomed as assigning the correct roles and responsibilities to different parties is only going to become more difficult as the complexity of data flows increase. However, the extent to which it has made this task easier is up for debate. A lot remains unanswered, most notably with regard to joint controllership and when this will arise. Furthermore, no instruction is given as to what should happen if parties disagree on whether they are joint controllers or not, a difficult scenario that is certainly going to arise in the future. Since the introduction of the GDPR, companies have appeared to be reluctant to consider themselves as joint controllers which is likely due to the lack of clarity surrounding the concept; this guidance is unlikely to change this trend.
What do organisations need to do now?
Organisations should use the additional information provided by the EDPB in this guidance to consider whether they have assigned themselves and their third parties the correct roles for the activities that they are performing. In particular, consideration needs to be paid to whether your organisation may be a joint controller with any third parties with which you process data.
Fill in your details below and we’ll get back to you as soon as possible