GDPR – Controllers and Processors
The EDPB adopts new guidelines on the concepts of controllers and processors under the GDPR.
The European Data Protection Board (EDPB) has issued updated guidelines (Guidelines) on the key concepts of “controller” and “processor” under the General Data Protection Regulation (GDPR). The Guidelines, adopted on 2 September 2020, do not introduce any fundamental changes to these concepts, but instead are intended to provide clarity on their precise meaning and interrelationship, in order to establish consensus across the EU and EEA in the approach to their interpretation and correct use. The Guidelines replace the previous guidelines issued by the Article 29 Working Party in 2010.
The Guidelines largely build on the 2010 guidelines, but incorporate some important points on the concepts, as well as providing detailed summaries with practical examples and a flowchart that will be helpful for businesses to determine their role for the purposes of the GDPR.
It is important for businesses to be clear on these concepts, as the rules applicable to them, and the ways in which data subjects can exercise their rights, depend on whether a business is a controller or a processor.
A controller is still the legal entity which determines both the purpose and means of the processing (i.e. the “why” and the “how” respectively). However the EDPB has clarified where the line is drawn between decisions reserved for a controller and those that can be left to a processor (see below).
Although decisions on the purpose of the processing are always the responsibility of the controller, a distinction is made between “essential” and “non-essential” means of processing:
- Essential means of processing are “closely linked to the purpose and the scope of the processing and are traditionally and inherently reserved to the controller”. So decisions about matters such as the type of personal data processed, the duration of the processing, the categories of recipients and data subjects are reserved for the controller.
- Non-essential means of processing concern more practical aspects. So decisions about matters such as the detail of the security measures to protect the personal data may be left to the processor. However the data processing agreement between the controller and processor must still cover off certain requirements, including the broad technical and organisational measures to be taken by the processor to ensure compliance with the GDPR.
In other words, the controller is responsible for determining the purpose and the essential means of the processing, while decisions on the non-essential means may be taken by the processor.
Further guidance is also provided in relation to the other elements of the definition of controller. For instance, the EDPB has clarified that there is no limitation on the type of entity that may become a controller, although commonly it is an organisation and not an individual within an organisation. Additionally, there is no requirement for a controller to have access to the data being processed in order to be a controller.
The two conditions that must exist to qualify as a processor are it must be a separate legal entity to the controller and it must process personal data on the controller’s behalf. The EDPB has emphasised that the processor must only process personal data in accordance with the controller’s instructions. If the processor operates outside the controller’s instructions and begins to determine its own purpose and means of processing, it will be deemed to be a controller and will have the higher level of responsibility imposed by the GDPR on controllers. Depending on the particular circumstances, its actions may be in breach of its contract with the controller and/or contravene the GDPR. However, the Guidelines do confirm that processors have some autonomy over decisions relating to technical and organisational means when acting on behalf of a controller.
We recommend that businesses undertake a review of their data privacy practices at least annually. The Guidelines (particularly the flowchart and examples they contain) should provide added clarity to the concepts of controller and processor and help organisations to understand whether their activities amount to a controller-to-processor data processing relationship or a controller-to-controller data sharing arrangement. This is turn should help them to ensure that they adopt the appropriate contractual documentation/terms.
The Guidelines can be accessed via this link. If you have any questions about the issues raised in this article, or on GDPR compliance more generally, please do not hesitate to contact us by emailing [email protected].