21/09/20 – On 2 September 2020, the European Data Protection Board (EDPB) adopted ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’. The Guidelines deal with the principles underpinning the differences between controllers and processors, and also delve into the more esoteric world of joint controllers.
EDPB observations on the difference between a controller and a processor
- The GDPR defines “controller” as “the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data….”. To determine who fulfils this role, the EDPB suggests you ask the following questions :
- Why is the processing taking place?
- Who decides that the processing should take place for a particular purpose?
- When assessing whether an entity is a controller, the EDPB states that “all relevant factual circumstances must be taken into account in order to reach a conclusion as to whether a particular entity exercises a determinative influence with respect to the processing of personal data in question” .
- A processor is defined by the GDPR as “a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller”. Acting “on behalf of the controller” means that the processor is serving the controller’s interest, and is similar to delegation; if, on the other hand, the entity is using the personal data for its own purposes then the entity is a controller.
- The two basic conditions of being a processor are, according to the EDPB:
- Being a separate entity to the controller
- Processing personal data on the controller’s behalf
- The terms of the contractual arrangements, including the controller/processor labels assigned by the parties, can be helpful, but the EDPB emphasises that “the terms of a contract are not decisive in all circumstances” .
- Although the controller decides both the purpose (the ‘why?’) and the means (the ‘how?’) of the processing, the EDPB acknowledges “that some margin of manoeuvre may exist for the processor….to make some decisions in relation to [the means of] the processing” . This refers to so-called ‘non-essential’ means of processing, e.g. the types of hardware and software used to carry out the processing.
- As per the CJEU’s judgment in the Jehovah Witness case, the fact that a person does not have direct access to the personal data does not by itself preclude the person from being a controller. By way of an example, the Guidelines refer to a retailer which outsources market research to a service provider, who then collects personal data about participants for the purposes of producing and providing the retailer with statistical information (e.g. consumer trends per region). Even though the retailer never ‘touches’ the relevant personal data, it has “determinative influence” on the purpose and means of processing – the retailer is directing the entire project – and is therefore the controller for GDPR purposes .
Plus some observations on joint controllers
- The GDPR provides that where two or more controllers “jointly determine the purposes and means of processing” personal data, then they are joint controllers.
- The GDPR requires that joint controllers document their respective responsibilities “by means of an arrangement between them” which is binding . Achieving a documented ‘arrangement’ containing a clear allocation of responsibilities is essential. The EDPB recommends that the joint controllers enter into an agreement specifying, in particular, the subject matter and purposes of the processing, the type of personal data, and the categories of data subjects .
- The EDPB’s comments regarding controllers generally apply equally to joint controllers. In addition:
- The fact that one of the parties does not have physical access to the relevant personal data does not by itself preclude joint controllership .
- Joint responsibility does not necessarily imply equal responsibility of the controllers involved .
- Joint controllership does not require the controllers to have exactly the same purposes – closely linked or complementary purposes may be sufficient .
- Guidelines, para 19
- Guidelines, para 23
- Guidelines, para 26
- Guidelines, para 35
- Guidelines, para 42
- Guidelines, para 169, GDPR, Art 26(1)
- Guidelines, para 171
- Guidelines, para 54
- Guidelines, para 56
- Guidelines, para 58