On July 7th, the European Data Protection Board (“EDPB”) adopted its finalized guidelines on the concepts of controller and processor in the General Data Protection Regulation (“GDPR”). While the EDPB’s predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns have been raised since the entry into force of the GDPR. These concerns relate in particular to the concept of joint controllership (in Article 26 GDPR) and the specific obligations imposed on processors (mainly in Article 28 GDPR). To address these concerns, the EDPB published draft guidelines last year, which were open to public consultation. The newly released guidelines now take into account the feedback from various stakeholders.
With the new guidelines, the EDPB seeks to provide guidance on the concepts of controller and processer based on the GDPR’s definitions (contained in Article 4 GDPR) and the provisions governing the obligations of controllers and processors in Chapter IV of the GDPR.
In the first part of the guidance, the EDPB clarifies the precise meaning of the concepts of controller, joint controller and processor, and analyzes the different building blocks of their legal definitions in detail. The EDPB emphasizes that the criteria for the correct interpretation of these concepts must be sufficiently clear and consistent throughout the European Economic Area (“EEA”), as these are functional but autonomous concepts that play a crucial role in the application of the GDPR. The concepts are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties. They are autonomous in that they should be interpreted mainly according to EU data protection law.
In the second part, the EDPB explains the consequences of attributing different roles between (joint) controllers and processors as well as their respective responsibilities. To this end, the EDPB looks further into the relationship between controllers and processors as well as to the consequences of joint controllership.
With respect to the relationship between a controller and a processor, the EDPB underlines the requirement to ensure that there is a contract or other legal act in place which covers the requirements set out by Article 28(3) GDPR. The EDPB emphasizes that this contract or other legal act should not merely restate the requirements outlined in Article 28(3) GDPR. Rather, it should include more specific, concrete information as to how the requirements will be met in practice (e.g., by specifying how particular information will be communicated, when and to whom). In the finalized version of the guidance, the EDPB appears to be particularly keen to point out that certain responsibilities (such as notifying a personal data breach to a Supervisory Authority, carrying out a data protection impact assessment, or mandating an auditor) remains ultimately the responsibility of the controller, even where the processor may be assisting with those activities. As to the Standard Contractual Clauses (SCCs) adopted for the purposes of Article 28(3) GDPR (see our advisory here), the EDPB explains that use of these SCCs is not necessary, but that relying upon them may contribute to rebalancing power between the parties where one party is in a weaker negotiation position.
With regards to joint controllership, the EDPB reminds joint controllers that they must determine and agree on their respective responsibilities to ensure compliance with the GDPR. Joint controllers need to set out “who does what” by allocating tasks, roles, and responsibilities. The EDPB anticipates that in most cases this will be memorialized in a contract. The parties may decide to appoint a single point of contact for data subjects, but even if they do, data subjects can still exercise their data protection rights in respect of and against each of the joint controllers individually.