On 2 September 2020, the European Data Protection Board (EDPB) adopted draft guidelines 07/2020 on the concepts of controller and processor in the GDPR (the Guidelines), which aim to replace the previous opinion of Working Party 29 dated of 16 February 2010. The Guidelines are currently under public consultation until 19 October 2020.
The Guidelines contain some important additions to the previous opinion that may have concrete implications on your business.
The concepts of controller and processor under the GDPR and the criteria to attribute these roles are not new compared to the Directive 95/46/EC.
Hence, it will not come as a surprise that the Guidelines do not bring any groundbreaking changes in this respect.
The EDPB recalls for instance that not every service provider that processes personal data in the course of delivering a service is a “processor” within the meaning of the GDPR (such consideration may oblige the Belgian Data Protection Authority to review the position adopted in its decision 41/2020 of 29 July 2020). The role of a processor does not stem from the nature of an entity that is processing data but from its actual activities in a specific context. The nature of the service will determine whether the processing activity amounts to processing of personal data on behalf of the controller within the meaning of the GDPR.
Yet, it is worth mentioning that the EDPB stresses throughout the Guidelines that:
The Guidelines provide a series of examples to help determining whether you act as a controller or processor for specific data processing activities. For instance, depending on the circumstances, an accountant may act as controller or processor.
Moreover, they contain at the end a useful decision tree for applying the concepts of controller and processor.
The concept of joint controllership receives considerably more attention in the Guidelines. This is understandable keeping in mind that Article 26 of the GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship.
Moreover, recent case law issued by the Court of Justice of the European Union (CJEU) (in particular case C-40/17 Fashion ID and case C-210/16 Wirtschaftsakademie) had to be implemented. While these judgments related to the interpretation of the concept of joint controllers under Directive 95/46/CE, they remain valid in the context of the GDPR according to the EDPB.
Based on the abovementioned case law, the Guidelines give a very broad meaning to the concept of joint controllership:
The Guidelines also provides a series of examples to help you determining whether you act as a separate or joint controller for a specific data processing activities. Based on a factual, the EDPB considers that a marketing operation for a co-branded product or the launching of a clinical trial or a platform / software developed by headhunters and employers are examples of joint controllership.
Moreover, they also contain at the end a useful flowchart for applying the concept of joint controller
The Guidelines take a striking approach when it comes to agreements between controllers and/or processors. Based on a strict reading of the accountability principle introduced by the GDPR, the EDPB revisits data processing agreements and arrangements between joint controllers and establishes certain challenging obligations. The Guidelines do however not provide for any guidance in case of controller to controller relationships.
The EDPB stresses that data processing agreements should include specific, concrete information as to how the requirements of the GDPR will be met and which level of security is required for the personal data processing that is the object of the data processing agreement.
Moreover, a controller is responsible for continuously assessing the sufficiency of the guarantees provide by the processor and should be able to prove that it has taken all of the elements provided in the GDPR into serious consideration.
Hence, establishing a data processing agreement is an important case-by-case exercise, rather than a formality that can be fulfilled by simply restating the content of Article 28 GDPR.
Similarly, the EDPB attaches a great deal of importance to the arrangements between joint controllers.
In addition to the requirements explicitly mentioned in Article 26 GDPR, the joint controllers need to ensure that the whole joint processing fully complies with the GDPR. Consequently, the Guidelines suggest that arrangements between joint controllers should consider (without limitation) the implementation of general data protection principles, the legal basis of processing, security measures, data breach notification obligations, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities.
Moreover, even if there is no legal requirement in the GDPR for a contract or legal act, the EDPB recommends that arrangements between joint controllers are made in the form of a binding document.
The Guidelines give more insight into the concepts of processor, controller and joint-controller in the GDPR and the relationships between them. It is best to go through these Guidelines in detail, since businesses might have to reconsider certain qualifications and to review their (template) agreements.
We are of course at your disposal to check whether your (template) agreements are (still) in line with the Guidelines.
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
Intellectual Property (IP)
Information Governance & Data Protection
Product compliance, product safety and product liability
Dispute Resolution
Life Science
Commercial law
Telecommunications, Media & Technology
olivia.santantonio@lydian.be
