The European Data Protection Board (“EDPB”) has published draft guidelines on the concepts of controller and processor for public consultation. While its predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns have been raised since the entry into force of the General Data Protection Regulation (“GDPR”). These concerns relate in particular to the substance and implications of the concept of joint controllership (in Article 26 GDPR) and the specific obligations imposed on processors (mainly in Article 28 GDPR). The new EDPB guidelines will replace the previous opinion of the Article 29 Working Party but are currently open for stakeholder feedback. Comments and suggestions on how to improve the guidelines can be provided to the EDPB by 19 October 2020 at the latest.
With the new guidelines, the EDPB seeks to provide guidance on the concepts of controller and processor based on the GDPR’s definitions (contained in Article 4 GDPR) and the provisions governing the obligations of controllers and processors in Chapter IV of the GDPR.
In the first part of the draft guidance, the EDPB clarifies the precise meaning of the concepts of controller, joint controller and processor. The different building blocks of their legal definitions are analyzed in detail. The EDPB emphasizes that the criteria for the correct interpretation of these concepts must be sufficiently clear and consistent throughout the European Economic Area (“EEA”), as these are functional concepts that play a crucial role in the application of the GDPR.
In the second part of the draft guidance, the EDPB assesses the consequences of attributing different roles and the responsibilities between (joint) controllers and processors. To this end, the EDPB looks further into the relationship between controllers and processors as well as to the consequences of joint controllership.
The EDPB reminds controllers to only use processors providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. The controller should therefore take into account the processor’s expert knowledge, reliability, resources and possibly the processor’s adherence to an approved code of conduct or certification mechanism. The EDPB also recalls that processing of personal data by a processor must be governed by a data processing agreement that is binding on the processor. Article 28(3) of the GDPR lists the elements that have to be set out in the processing agreement. Such agreement should not, however, merely restate the provisions of the GDPR, but rather include more specific, concrete information as to how the requirements will be met and as to which level of security is required for the processing activities covered by the agreement.
With regards to joint controllership, the EDPB reminds joint controllers that they must determine and agree on their respective responsibilities for compliance with the obligations under the GDPR. While the GDPR does not specify the legal form of joint controllership arrangements, the EDPB recommends – for the sake of legal certainty and in order to provide for transparency and accountability – that such arrangements be made in the form of a binding document such as a contract or other legally binding act.
Source: European Data Protection Board, Guidelines on the concepts of controller and processor in the GDPR v1, adopted on 2 September 2020 (version for public consultation).