EDPB publishes guidance on the difference between controllers and processors under the GDPR
How does the European Data Protection Board (EDPB) define the concept of data controller and data processor in a GDPR world?
The key takeaway
Parties to data processing activities must be clear on who is setting the purpose of the processing, as it will determine their status as a controller or processor, thereby defining their obligations under the GDPR.
The background
On 16 February 2010, the now dissolved Data Protection Working Party delivered an opinion on the concepts of controller and processor. As this predated the GDPR, its relevance to post 2018 data-compliance activities was considerably lessened. Following the coming into force of the GDPR, queries have arisen as to how the GDPR has impacted the concepts of controllers, joint controllers, and processors and their respective obligations and rights. The EDPB, as successor to the Data Working Party, recognised that further clarification on how these roles are to apply was required. This new guidance helps explain the concepts and responsibilities of controllers and processors, building on the 2010 opinion, but this time with a specific focus on how they operate within the GDPR framework.
The development
The EDPB guidance has confirmed that the identity of a controller or processor is determined in principle by its activities, rather than its formal designation as either one or the other; while contractual terms can assist in defining roles, they will not be decisive. Certain activities will naturally lend themselves to one role or another. For example, a controller is a body which decides key elements of the data processing process such as the purpose and the means of the processing. By contrast, a data processor may never determine the purpose of processing, although there is some scope for a processor to make decisions in relation to the more practical elements of implementation. Importantly, it would be possible for one entity to act as both controller and processor for different processing operations simultaneously.
Joint controllership is defined as where two or more controllers determine the purpose and means of the processing. It is important to note that the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership. Similarly, even though two or more data controllers may not have the same purpose for the processing, the fact that their purposes are similar or complementary may give rise to joint controllership. However, if a party that does not pursue any purpose of its own in relation to the processing, and is just being paid for services rendered, it is not a joint controller and is a processor.
The EDPB’s guidance clarifies that the starting point for assessing the status of an entity within a data transaction will be based on the factual circumstances of the transaction irrespective of how the parties are named or labelled. Purpose is considered the key indicator.
Data processors and controllers have different roles and responsibilities. Controllers must ensure that data subjects’ rights are properly respected, and joint controllers must define who will be in charge of answering requests from data subjects and responding to which duties on controllers more generally. Processors must make relevant information available to controllers to allow controllers to comply with the GDPR and carry out other duties incumbent on them, such as notifying data breaches and assisting the controller in carrying out data protection impact assessments. In order to understand which duties apply, parties must take a view on whether they fulfil the definition of controller or processor and the EDPB’s guidance assists in this determination.
Any practical tips?
The roles of controller and processor have been developed over the years and are well known. Organisations should nonetheless review the EDPB’s guidance and consider whether any of their data processing agreements attempt to designate the roles of controller and processor in name rather than substance. Parties to any such agreements should look beyond just restating Article 28 of GDPR and consider providing details on exactly how processors will assist controllers to comply with their GDPR obligations, possibly in annexes to a data protection agreement.