• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

EDPB publishes Guidelines on the Concepts of Controller and Processor in the GDPR

July 21, 2021 By Yung Shin Van Der Sype, Paul Greaves and Wim Nauwelaerts

On July 7th, the European Data Protection Board (“EDPB”) adopted its finalized guidelines on the concepts of controller and processor in the General Data Protection Regulation (“GDPR”). While the EDPB’s predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns have been raised since the entry into force of the GDPR. These concerns relate in particular to the concept of joint controllership (in Article 26 GDPR) and the specific obligations imposed on processors (mainly in Article 28 GDPR). To address these concerns, the EDPB published draft guidelines last year, which were open to public consultation. The newly released guidelines now take into account the feedback from various stakeholders.

With the new guidelines, the EDPB seeks to provide guidance on the concepts of controller and processer based on the GDPR’s definitions (contained in Article 4 GDPR) and the provisions governing the obligations of controllers and processors in Chapter IV of the GDPR.

In the first part of the guidance, the EDPB clarifies the precise meaning of the concepts of controller, joint controller and processor, and analyzes the different building blocks of their legal definitions in detail. The EDPB emphasizes that the criteria for the correct interpretation of these concepts must be sufficiently clear and consistent throughout the European Economic Area (“EEA”), as these are functional but autonomous concepts that play a crucial role in the application of the GDPR. The concepts are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties. They are autonomous in that they should be interpreted mainly according to EU data protection law.

In the second part, the EDPB explains the consequences of attributing different roles between (joint) controllers and processors as well as their respective responsibilities. To this end, the EDPB looks further into the relationship between controllers and processors as well as to the consequences of joint controllership.

With respect to the relationship between a controller and a processor, the EDPB underlines the requirement to ensure that there is a contract or other legal act in place which covers the requirements set out by Article 28(3) GDPR. The EDPB emphasizes that this contract or other legal act should not merely restate the requirements outlined in Article 28(3) GDPR. Rather, it should include more specific, concrete information as to how the requirements will be met in practice (e.g., by specifying how particular information will be communicated, when and to whom). In the finalized version of the guidance, the EDPB appears to be particularly keen to point out that certain responsibilities (such as notifying a personal data breach to a Supervisory Authority, carrying out a data protection impact assessment, or mandating an auditor) remains ultimately the responsibility of the controller, even where the processor may be assisting with those activities. As to the Standard Contractual Clauses (SCCs) adopted for the purposes of Article 28(3) GDPR (see our advisory here), the EDPB explains that use of these SCCs is not necessary, but that relying upon them may contribute to rebalancing power between the parties where one party is in a weaker negotiation position.

With regards to joint controllership, the EDPB reminds joint controllers that they must determine and agree on their respective responsibilities to ensure compliance with the GDPR. Joint controllers need to set out “who does what” by allocating tasks, roles, and responsibilities. The EDPB anticipates that in most cases this will be memorialized in a contract. The parties may decide to appoint a single point of contact for data subjects, but even if they do, data subjects can still exercise their data protection rights in respect of and against each of the joint controllers individually.

Filed Under: Data Protection, Privacy, Regulation Tagged With: EU Data Protection, EU Privacy, EU Regulation, European Union (EU)

About Yung Shin Van Der Sype

Yung Shin is an associate with Alston & Bird’s Technology & Privacy Group and Privacy, Cyber & Data Strategy Team. She focuses her practice on IT law and HR-related matters, including privacy and data protection, IT contracts, and corporate security.

About Paul Greaves

Paul Greaves is a senior associate in the Brussels office and a member of Alston & Bird’sPrivacy, Cyber & Data Strategy Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.