An attempt at delimitation by the European Data Protection Board
On 2 September 2020, the European Data Protection Board (EDPB) adopted a first version of a guideline on the concepts of data controller and processor in the GDPR, which we would like to briefly present here. The guidelines are currently only available in English. The first published version of the guidelines is subject to a public consultation. Until 19 October 2020, there is the possibility to submit comments to the EDPB.
The new guidelines are intended to replace WP 169 of the Article 29 Working Party of 16 February 2020 and are largely based on the definitions and findings of the WP, but are developing them further while citing some case studies. In particular, the guidelines focus on the concept of joint controllership under Art. 26 GDPR, which was newly regulated by the GDPR. In principle, it is appreciated, as the legal concept of joint controllership repeatedly leads to uncertainty and difficulties of delimitation in practice.
As the EDPB explains in its introduction, the question of who is responsible for a data processing operation, together with the question of who is a processor under which conditions, plays a crucial role in the application of the GDPR, since the answers to these questions determine who is responsible for compliance with the various data protection rules and how data subjects can exercise their rights in practice. For this reason, the EDPB further states that it is of great importance that the exact meaning of these concepts and the criteria for their correct application are sufficiently clear throughout the European Union and the EEA.
The guidelines are structured in two parts.
Part I discusses the various concepts of controllership (Art. 4 No. 7 GDPR), joint controllership under Art. 26 GDPR, processors under Art. 28 GDPR and the concepts of a third party (Art. 4 No. 10 GDPR) and a recipient (Art. 4 No. 9 GDPR).
Part II contains details regarding the consequences of assigning the above-mentioned roles.
Part I: Legal Concepts
In discussing the question of who should be responsible for compliance with data protection law within the framework of the concepts of the GDPR (controller/ processor, etc.) and how data subjects can exercise their rights in practice, the draft guidelines make it clear that the GDPR contains a functional concept in this respect. The aim of the GDPR is to allocate responsibilities according to the actual roles of the parties. In particular, it is therefore not important which roles are assigned to the parties in their contracts, but what they actually do.
The concepts of controller and processor are autonomous concepts which, although external (national) legal sources may help to identify the person responsible for processing, should primarily be interpreted in accordance with EU data protection law.
A controller is thus responsible for compliance in accordance with the principles set out in Art. 5 Para. 1 GDPR and should be able to demonstrate such compliance.
The controller decides on the “why” and the “how” of the data processing (i.e. both: the purpose and the means). However, the EDPB states in this respect that a processor may decide on so-called “non-essential means”, e.g. on details of the chosen TOMs, without this necessarily affecting its role as processor.
In the case of joint controllership, two or more entities decide on the purposes and means. This can be done jointly or converging. The latter means that the decisions are complementary in the sense that one data processing operation would be inconceivable/not possible without both parties` participation.
Processorship has two main characteristics. Acting on documented instructions and being a separate entity from the controller (e.g. not an employee of the controller). However, minor decisions are possible, see above.
The EDPB describes the concepts of recipients and third parties contained in the GDPR as relative concepts. This means that their role results from their relationship with the respective responsible person or processor. The EDPB notes that the concepts of third party and recipient correspond to the previous definition of Directive 95/46/EC.
The draft guidelines contain a number of examples, although we would have appreciated more practical constellations and clarification of any disputed constellations.
It is to be noted that the EDPB stresses that in the practical cases, these are typically the constellations mentioned. In any case, however, the roles actually exercised should be examined and investigated, which could then possibly lead to different role assignments.
Similarly, the EDPB stresses that data processing operations may need to be divided into different sections. This means that, for example, when using a common online platform, this part can be carried out under joint controllership, but the remaining part – i.e. data processing outside this platform – can be carried out under one’s own controllership.
Examples of controllership:
- Law firms
- Taxi Service, offering an own online platform for bookings
Examples of processorship
- Payroll administration
- Hosting services
- Market research
- General IT-Support
- Cloud Service Provider
Examples of joint controllership:
- Research project by institutes with shared online platform
- Marketing operation: Marketing of a co-branded product from the cooperation of two companies, here in relation to a jointly planned event
- Clinical Trials: If the study protocol is developed jointly
- Headhunter, but other roles possible
No joint controllership:
- Transfer of employee data to tax authorities, as no common purpose, no common decision on resources
- So-called “chain of operations” – this means successive data processing operations, each with its own purpose
- For further examples please see Guidelines 07/2020, p. 23.
Examples controller to controller:
- Bank payments, here salary payments employer and bank
- Accountants: what matters here, however – in the European context – are the instructions given and the respective legal situation
- Travel agency (if a common online platform is used in cooperation with other service providers such as hotels, airlines, etc., but joint controllership also possible)
Examples Third party/ recipient
- Third party: Cleaning services
- Third party: Parent company which receives data from various subsidiaries for the purpose of compiling employee statistics
- Recipient: Hotels, airlines, etc., which receive personal data sent by a travel agency upon customer request
Part II – Consequences of assigning different roles
The second part of the guidelines contains some interesting clarifications regarding the consequences of the respective roles.
1. The relationship between the responsible person and the processor
The EDPB comments on the different requirements of Art. 28 para. 3 GDPR.
In addition, the regulations regarding the transfer of data to third countries (Art. 44 ff. GDPR) also apply to the processor in the same way as to a responsible person. Art. 28 para. 3 GDPR thus imposes direct obligations on the processors.
With regard to the requirements for the contract processing agreement under Art. 28 GDPR, the EDPB states that the agreement should not only repeat the provisions of the GDPR but should contain specific, concrete information. The issuance of the necessary documented instructions and any updates must also be proven and the security level of the implemented TOMs should be set in relation to the specific data processing. Contracts for the processing of orders which were concluded before the GDPR must be brought up to GDPR standards and updated accordingly.
It is open to clarify whether, for example, in relations with subprocessors it is the obligation of the controller or the processor to conclude EU-Standard Contractual Clauses with these subprocessors. This would have been desirable in view of Schrems II.
2. Consequences of joint controllership
In the context of joint controllership, the EDPB attaches particular importance to the transparent definition of responsibilities, especially with regard to the data subjects, who should have the greatest possible transparency as to how they can exercise their data subject rights.
In this respect, it is clarified that each data controller must ensure that there is a legal basis for the corresponding data processing and must take care that it does not go beyond the common purpose for which it was originally collected.
The form of the agreement is not stipulated in the GDPR, Art. 26 para. 1 sentence 2 GDPR. In this respect, the EDPB recommends that the agreement should be concluded in the form of a legally binding document in order to comply in particular with the accountability obligations arising from Art. 5 para. 2 GDPR. Authorities are not bound by the contractual division of responsibilities, but can turn to any party.
The guidelines highlight the assignment of roles of controllers and processors and contain some welcome clarifications. Ultimately, however, this is not reinventing the wheel, but rather building on proven concepts. Further clarifications in disputed areas (e.g. for the area of temporary employment) would have been desirable and would bring clarity to many legal relations in practice.
We published this article earlier in German; Please click here.