New guidelines of the EDPB on the concepts of (joint) controller and processor
On 2 September 2020, the European Data Protection Board (EDPB) adopted draft guidelines 07/2020 on the concepts of controller and processor in the GDPR (the Guidelines), which aim to replace the previous opinion of Working Party 29 dated of 16 February 2010. The Guidelines are currently under public consultation until 19 October 2020.
The Guidelines contain some important additions to the previous opinion that may have concrete implications on your business.
1. CLARIFICATION OF THE CONCEPTS
1.1 Controller or processor: more of the same
The concepts of controller and processor under the GDPR and the criteria to attribute these roles are not new compared to the Directive 95/46/EC.
Hence, it will not come as a surprise that the Guidelines do not bring any groundbreaking changes in this respect.
The EDPB recalls for instance that not every service provider that processes personal data in the course of delivering a service is a “processor” within the meaning of the GDPR (such consideration may oblige the Belgian Data Protection Authority to review the position adopted in its decision 41/2020 of 29 July 2020). The role of a processor does not stem from the nature of an entity that is processing data but from its actual activities in a specific context. The nature of the service will determine whether the processing activity amounts to processing of personal data on behalf of the controller within the meaning of the GDPR.
Yet, it is worth mentioning that the EDPB stresses throughout the Guidelines that:
- if a processor goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing, the processor infringes the GDPR and should be considered a controller;
- the concept of controller should be interpreted in a sufficiently broad way; and
- as regards the determination of means, a distinction can be made between essential and non-essential means. “Essential means” are closely linked to the purpose and the scope of the processing and are traditionally and inherently reserved to the controller.
The Guidelines provide a series of examples to help determining whether you act as a controller or processor for specific data processing activities. For instance, depending on the circumstances, an accountant may act as controller or processor.
Moreover, they contain at the end a useful decision tree for applying the concepts of controller and processor.
1.2 Joint controllership: broad meaning
The concept of joint controllership receives considerably more attention in the Guidelines. This is understandable keeping in mind that Article 26 of the GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship.
Moreover, recent case law issued by the Court of Justice of the European Union (CJEU) (in particular case C-40/17 Fashion ID and case C-210/16 Wirtschaftsakademie) had to be implemented. While these judgments related to the interpretation of the concept of joint controllers under Directive 95/46/CE, they remain valid in the context of the GDPR according to the EDPB.
Based on the abovementioned case law, the Guidelines give a very broad meaning to the concept of joint controllership:
- a joint participation does not necessarily require a common decision taken by two or more entities, but can also result from converging decisions. In other words, it concerns decisions that complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing;
- jointly defined purposes do not only exist if the entities involved process the data for the same or common purposes, but also when the entities involved pursue purposes which are closely linked or complementary; and
- joint controllership does not necessarily imply that each entity involved needs to determine all of the means. According to the Guidelines, different entities may be involved at different stages of that processing and to different degrees.
The Guidelines also provides a series of examples to help you determining whether you act as a separate or joint controller for a specific data processing activities. Based on a factual, the EDPB considers that a marketing operation for a co-branded product or the launching of a clinical trial or a platform / software developed by headhunters and employers are examples of joint controllership.
Moreover, they also contain at the end a useful flowchart for applying the concept of joint controller
2. NEED TO REVIEW OR AMEND DATA PROCESSING AGREEMENTS OR ARRANGEMENTS BETWEEN JOINT CONTROLLERS
The Guidelines take a striking approach when it comes to agreements between controllers and/or processors. Based on a strict reading of the accountability principle introduced by the GDPR, the EDPB revisits data processing agreements and arrangements between joint controllers and establishes certain challenging obligations. The Guidelines do however not provide for any guidance in case of controller to controller relationships.
2.1 Data processing agreements
The EDPB stresses that data processing agreements should include specific, concrete information as to how the requirements of the GDPR will be met and which level of security is required for the personal data processing that is the object of the data processing agreement.
Moreover, a controller is responsible for continuously assessing the sufficiency of the guarantees provide by the processor and should be able to prove that it has taken all of the elements provided in the GDPR into serious consideration.
Hence, establishing a data processing agreement is an important case-by-case exercise, rather than a formality that can be fulfilled by simply restating the content of Article 28 GDPR.
2.2 Arrangements between joint controllers
Similarly, the EDPB attaches a great deal of importance to the arrangements between joint controllers.
In addition to the requirements explicitly mentioned in Article 26 GDPR, the joint controllers need to ensure that the whole joint processing fully complies with the GDPR. Consequently, the Guidelines suggest that arrangements between joint controllers should consider (without limitation) the implementation of general data protection principles, the legal basis of processing, security measures, data breach notification obligations, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities.
Moreover, even if there is no legal requirement in the GDPR for a contract or legal act, the EDPB recommends that arrangements between joint controllers are made in the form of a binding document.
The Guidelines give more insight into the concepts of processor, controller and joint-controller in the GDPR and the relationships between them. It is best to go through these Guidelines in detail, since businesses might have to reconsider certain qualifications and to review their (template) agreements.
We are of course at your disposal to check whether your (template) agreements are (still) in line with the Guidelines.