On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
The concepts of controller, joint controller, and processor are critical under EU data protection law, as they define the roles and responsibilities of the parties. The Guidelines confirm the EU courts' broad interpretation of joint controllers and provide additional guidance regarding the contents of data processing agreements (DPA) between controllers and processors, as well as between joint controllers. Companies should consider reassessing their role and their data processing agreements in light of these Guidelines.
The Guidelines are open for public consultation until October 19, 2020. Companies are invited to submit their views and comments, which the EDPB will consider when preparing the final version of the Guidelines.
The concepts of controller, processor, and joint controller were introduced under the Data Protection Directive in 1995 and EU regulators issued guidance on this topic in 2010. A controller is the entity who determines the purposes and means of the personal data processing (i.e., "how" and "why" the data is processed). A processor is a separate entity who acts on behalf of, and under the instructions of, the controller. A joint controller is an entity that jointly determines the purposes and means of processing data with another controller. The Guidelines update the prior guidance in light of the GDPR and case law of the European Court of Justice (ECJ).
EDPB Clarifies the Concepts of Controller, Processor, and Joint Controller
Controller and Processor
The Guidelines confirm the existing interpretation of the concepts of controller and processor and opine on a number of questions that are relevant for companies:
- A company can be considered a processor even if it determines some non-essential means of the processing (e.g., choice of a particular type of hardware or software, or selection of particular security measures); however, according to the EDPB, the essential means of the processing are always determined by the controller (e.g., type of personal data, duration of processing, categories of recipients and individuals).
- The purposes of the processing are always solely determined by the controller.
- The same entity can have different roles depending on the processing activity. For example, a company can be a processor when providing services to its corporate customers, but a controller when conducting its own marketing activities.
- One company may also be both a controller and a processor with respect to the same dataset, if it uses that data for different processing operations.
- A controller does not need to have access to the data to be a controller.
- While the terms of a contract between processing entities will reflect the roles of the parties, these are not considered dispositive in all circumstances by EU regulators.
One of the key issues discussed in the EDPB guidelines is the concept of joint controllership, a topic the ECJ addressed in the FashionID case.
First, the EDPB confirms that there are two types of controller-to-controller relationships: joint controllers and separate controllers. The GDPR requires joint controllers to conclude a joint-controllership agreement with specific provisions, but this obligation does not apply to separate controllers. Not surprisingly, the Guidelines follow the ECJ's conclusion in the FashionID case that it is possible for two companies to be joint controllers only with respect to specific processing operations within a broader processing activity, and to remain separate controllers for the rest. In other words, two companies can be joint controllers for some stages of the processing for which they jointly determine the purposes and means, and separate controllers for preceding or subsequent operations in the chain.
Then, the EDPB clarifies that two (or several) companies are joint controllers if they determine the purposes and means of the processing jointly via either i) a common decision, or ii) two or more converging decisions (i.e., complementary decisions without which the processing cannot take place). Purposes are determined jointly when the decision(s) relate(s) to i) either the same purposes, or ii) to common, closely linked, or complementary purposes. This may be the case, for example, when there is a mutual benefit for both joint controllers arising from the same processing operation; in the Fashion ID case, the website operator embedding a social plug-in on its website to optimize publicity on the social network was considered a joint controller with the provider of the social plug-in because both parties have a benefit in the processing. However, the mere fact that a processor receives payment in exchange for its services does not make it a joint controller.
EDPB Calls for Detailed Data Processing Agreements
- Expanded content of a DPA. DPAs should not only restate the content of Article 28 of the GDPR, but also specify how the requirements will be met. For example, the Guidelines recommend that a DPA should include details on i) the specific instructions the controller mandates the processor follow; this may be included in a template instruction sheet in an annex; ii) the security objectives to be attained (or the specific security measures to be adopted), together with an obligation for the processor to obtain the controller's approval before making changes, and a process for regular review to take into account new security risks; iii) the subprocessors' locations, role, proof of implemented safeguards, and the timeframe for approval of new subprocessors; and iv) the processor's assistance obligation (e.g., in relation to individuals' rights, security and data breach obligations, data protection impact assessments, etc.).
- Direct obligations for processors. The EDPB states that Article 28 of the GDPR also imposes direct obligations on processors. Therefore, EU regulators can sanction both the controller and the processor if this provision is violated. However, where the controller is not subject to the GDPR but the processor is established in the EU, the obligations of Article 28(3) will be only directly applicable to the processor.
- Notification of changes via online publication. On a more practical level, the Guidelines note that, when there is a need to modify the DPA, processors cannot simply publish a modified version of their DPA on their website, but need to have the updated version approved by the relevant controller(s). Similarly, relying on an online list of subprocessors to notify the controller of new subprocessors only works if the list highlights which proposed subprocessor is new.
- Due diligence of (sub)processors. The Guidelines also state that controllers, as part of their accountability obligation, should conduct due diligence to assess whether (sub)processors provide sufficient guarantees that the processing will satisfy GDPR requirements. Such assessment should take place both before and during the engagement—including via audits and inspections at regular intervals. Elements to be taken into account include the processor's expert knowledge, reliability, resources, and adherence to an approved code of conduct.
Joint Controllers DPA
Under the GDPR, joint controllers must determine their respective responsibilities for compliance with the GDPR and document them in a contract (commonly referred to as an Article 26 agreement). Such a contract must set out "who does what."
While the GDPR provides that such an arrangement should determine responsibilities regarding the exercise of individuals' rights and GDPR notice obligations, the EDPB notes that this list is not exhaustive. The contract also should address other GDPR obligations, such as i) compliance with general data protection principles; ii) legal basis for the processing; iii) security measures; iv) data breach notifications; v) data protection impact assessments; vi) use of processors; and vii) third country transfers.
The EDPB also recommends specifying i) who will act as a contact point for individuals and regulators (although individuals and regulators can always choose to contact any of the joint controllers) and ii) general information on the joint processing, such as subject matter, purpose, type of personal data, and categories of individuals.
The Guidelines further provide that some obligations cannot be distributed among joint controllers and that each joint controller must individually comply with them (e.g., appointment of a data protection officer, records of processing activities, purpose limitation, and data security).
What Should Companies Do?
Companies involved in the same data processing activities should consider reassessing their role in light of these Guidelines, in particular whether they could be considered joint controllers. Where applicable, they should consider determining their respective GDPR obligations by means of an arrangement and communicate this to individuals. In addition, companies that are in a controller-to-processor relationship should consider updating their template DPA to include the recommendations of the EDPB. Impacted companies may consider submitting comments to the EDPB, as the Guidelines are open for public consultation until October 19, 2020.