EDPB’s Guidelines on the concepts of controller and processor in the GDPR
The European Data Protection Board issued the Guide-lines 07/2020 on the concepts of controller and proces-sor in the GDPR, version 1.0, adopted on 02 September 2020.
These Guidelines were open to public consultation from September to October 2020 and over one hundred of documents on comments were received by EDPB. They are all available online at the EDBP’s website. It is likely that a new version will be published anytime soon but in the meantime, privacy practitioners often times revert to these relevant Guidelines in order to seek guidance in order to solve complex client matters regarding, inter alia, relationships among groups of companies.
The Guidelines are extraordinarily long and detailed (48 pages).
Here is our selection of the guidelines which offer relevant insight for groups of companies:
- (…) The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.
- In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller. A controller is a body that decides certain key elements of the processing.
- Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.
- A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.
- There can be situations where various actors successively process the same personal data in a chain of operations, each of these actors having an independent purpose and independent means in their part of the chain. In the absence of joint participation in the determination of the purposes and means of the same processing operation or set of operations, joint controllership has to be excluded and the various actors must be regarded as successive independent controllers.
- Processing of personal data can involve multiple processors. For example, a controller may itself choose to directly engage multiple processors, by involving different processors at separate stages of the processing (multiple processors). A controller might also decide to engage one processor, who in turn - with the authorisation of the controller - engages one or more other processors (“sub processor(s)”). The processing activity entrusted to the processor may be limited to a very specific task or context or may be more general and extended.
- A separate entity means that the controller decides to delegate all or part of the processing activities to an external organisation. Within a group of companies, one company can be a processor to another company acting as controller, as both companies are separate entities.
- If the controller decides to process data itself, using its own resources within its organisation, for example through its own staff, this is not a processor situation.
- Processing personal data on the controller’s behalf firstly requires that the separate entity processes personal data for the benefit of the controller. In Article 4(2), processing is defined as a concept including a wide array of operations ranging from collection, storage and consultation to use, dissemination or otherwise making available and destruction. In practice, this means that all imaginable handling of personal data constitutes processing.
- The processing must be done on behalf of a controller but otherwise than under its direct authority or control. Acting “on behalf of” means serving someone else’s interest and recalls the legal concept of “delegation”. In the case of data protection law, a processor is called to implement the instructions given by the controller at least with regard to the purpose of the processing and the essential elements of the means.
- The lawfulness of the processing according to Article 6, and if relevant Article 9, of the Regulation will be derived from the controller’s activity and the processor must not process the data otherwise than according to the controller’s instructions. Even so, as described above, the controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organizational means.
Finally, please see also a helpful flowchart in Annex I (Flowchart for applying the concepts of controller, processor and joint controllers in practice) that may assist you while analyzing a challenging scenario, e.g., in case of a complex group of companies’s structure and related processing operations and data flows.
Article provided by: Belén Arribas Sánchez (BELEN ARRIBAS SANCHEZ ABOGADA, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)