The European Data Protection Supervisor (EDPS) has issued guidance on the concepts of data controller and processor for European Union organizations. Though it covers EU institutions, the guidance contains many concepts that are applicable and instructive for other entities subject to the General Data Protection Regulation (GDPR). While it is not binding, the analysis may also provide insights for entities trying to decipher the "business"—"third party" relationship under the California Consumer Privacy Act (CCPA).
Key takeaways are below.
What is a Controller?
- An entity that exercises influence over the purpose and means of a processing operation by virtue of an exercise of decision-making power.
- When carrying out of a processing operation, the controller is the one deciding on the purpose ("the why") and on the means to carry out such processing operation ("the how").
- To analyze, ask:"Why is the processing taking place?" "Who initiated the processing?" and "Who benefits from the processing?"
- It is not necessary for a party to equally determine both purpose and means to be considered a controller of the processing of personal data.
- The crucial question is to what level of detail a party should determine the purposes and means in order to be considered as a data controller.
- When assessing the determination of the purpose, the actor determining the reason for which a certain processing would take place, i.e. the "what for," is the controller.
- The determination of the means to be used for a specific processing operation only entails the role of controllership if the party decides on the essential elements of the means including: the type(s) of data to be processed, the period for which data would be retained, the data subjects from which the data would be collected, who will have access to data (access control lists, user profiles etc.) and who will receive the data, etc., these usually being reserved to the controller’s determination.
- The determination of more practical aspects of the processing operation(s), the so-called "non-essential elements of the means," (e.g hardware or software to be used or the technical security measures) may made by the data processor.
- An entity does not need to have access to personal data to be considered a controller. It is enough if it determines the purposes and means of processing, has influence on the processing by causing the processing of personal data to start (and being able to make it stop), or receives the anonymous statistics based on personal data collected and processed by another entity (see also Case C-25/17 Jehovan todistajat ECLI:EU:C:2018, paraS. 68 to 72, as well as Case C-210/16 Wirtschaftsakademie Schleswig-Holstein and Case C-40/17 FashionID & Co.KG v VerbraucherzentraleNRW eV).
- The primary responsibility for ensuring compliance lies with the controller.
- It is responsibility of the controller to ensure that data subjects can exercise the rights afforded to them. Even if another entity is appointed as a point of contact for data subjects, the controller of the processing operation remains the ultimate point of reference for this obligation.
Controller Checklist: If the majority of your responses is YES, you are likely to be a controller for a specific set of processing operations:
- You have decided to process personal data or caused another entity to process it.
- You decided what purpose or outcome the processing operation needs to have.
- You decided on the essential elements of the processing operation, i.e. what personal data should be collected, about which individuals, the data retention period, who has access to the data, recipients, etc.
- The data subjects of your processing operations are your employees.
- You exercise professional judgement in the processing of the personal data.
- You have a direct relationship with the data subjects.
- You have autonomy and independence as to how the personal data is processed.
- You have appointed a processor to carry out processing activities on your behalf, even if the entity chosen for that purpose implements specific technical and organizational means (non-essential elements).
What is a Processor?
- The essence of the role of a "processor" is that personal data is processed on behalf of the data controller.
- "Acting on behalf of the controller" signifies that the processor is serving the controller’s interest in carrying out a specific task and that it is thus following the instructions set out by the controller, at least with regard to the purpose and the essential elements of the means.
- The processor may enjoy a considerable degree of autonomy in providing its services and may identify the non-essential elements of the processing operation.
- The processor may advise or propose certain measures (in particular within its field of expertise) but it is up to the controller to decide whether to accept such a proposal or advice, after having been fully informed of the reasons for the measures, what the measures are and how they would be implemented.
- When a processor acts beyond the mandate by infringing the contract or another legal act or making decisions about the purpose and the essential elements of the means of a specific processing operation, it may qualify as a controller (or a joint controller).
The controller is required to assess whether the guarantees offered by the processor are sufficient and needs to be able to demonstrate this. To this end the controller should:
- Only use processors providing sufficient guarantees to implement appropriate technical and organizational measures that the processing will meet the requirements of the Regulation and ensure the data subjects' rights are protected.
(1) Take into account whether the processor provides adequate documentation proving such compliance, such as privacy policies, records management policies, information security policies, external audit reports, certifications, etc.
(2) Take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), its reliability and its resources.
- Ensure that the processor does not further outsource/subcontract without the controller’s prior written authorization.
- Make sure that the processor keeps the controller informed of any changes, giving the controller the opportunity to object.
- Sign a written contract or another (binding) legal arrangement with the processor with specific data protection clauses.
- In the contract, set out clear modalities for the assistance required (e.g. re: data subject rights, data breach notification, etc.) and give the processor precise instructions on how to fulfill them, for example in the contract or another (binding) arrangement and reflect these modalities in the privacy notice to the data subjects.
- Ensure that the same contractual obligations are passed on to any subcontractor chosen.
- Processors provide for GDPR compliance as one of the elements to be used to demonstrate sufficient guarantees.
- Regularly check on the processor’s compliance and measures in use.
Downstream and Liability
- It may be possible for the controller to transmit any request to the processor, where this is the only entity to grant rights to the data subject.
- The processor’s liability remains more limited in scope compared to the controller’s liability. The processor may be held liable when it has acted outside the mandate given by the controller, or if it has not complied with its own obligations under the law.
- In practice, a processor carrying out specific processing operations under strict instructions given by the controller, would not be held liable for any infringement of the Regulation when strictly following the controller’s instructions.
- Vis-à-vis the data subject, the controller carries the main responsibility for the processing operation and may be held liable for damages. However, the data subject may still hold the processor liable if it has specific reasons to believe the infringement which resulted in the damage was made by the processor.
Data Processor Checklist
If the majority of your responses is YES, you are likely a processor for a specific set of processing operations:
- You follow instructions from another party with regard to the processing of personal data.
- You do not decide to collect personal data from individuals.
- You do not decide on the legal basis for the collection and use of that data.
- You do not decide the purpose or purposes for which the data will be used.
- You do not decide whether to disclose the data, or to whom.
- You do not decide the data retention period.
- You make certain decisions on how data is processed, but implement such decisions under a contract or other legal act or binding arrangement with the controller.
- You are not interested in the end result of the processing.
What is it?
- This is any situation where each controller has a chance/right to determine purposes and essential elements of the means of a processing operation
- By entering into such agreement, the parties commonly determine (or converge on) the purpose and essential elements of the means to carry out a processing operation. This, in itself, is sufficient to trigger a situation of joint controllership.
- Both the purposes and (the essential elements of) the means of the processing operation need to be determined. What matters for the existence of a situation of joint controllership is the determination of the purpose and (essential elements of the) means of the processing operations.
- The fact that a party only has access to information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable...does not influence the joint controllership situation. However, this may nonetheless matter when establishing the degree of responsibility of the parties involved.
- If the parties involved do not jointly determine or converge on the same general objective (or purpose) or do not base their processing operations on jointly determined (essential elements of the) means, their relationship seems to be pointing to a "separate controllership" situation.
Obligations of Joint Controllers
- Define the responsibilities for compliance with data protection obligations.
- Clearly identify and define their respective responsibilities for specific obligations under the Regulation.
- Joint controllers are not obligated to share their responsibilities equally.
- The parties involved in the processing operations should assess their roles and responsibilities taking into account the different stages in which they operate.
- A clear understanding of who does what will help to assign responsibilities in a way that makes sense — if e.g. some of the joint controllers will interact with data subjects, while others will not, it makes sense to assign responsibilities for informing data subjects and dealing with request to the former.
- Joint controllers may want to create specific procedures for using processors in the arrangement between the joint controllers. These procedures could stipulate that if one of the parties decides to engage a processor, it should consult the other controller(s) on the part of the processing to be entrusted to a processor and on the aspects of the contract to be put in place with a processor.
Arrangement Between Joint Controllers
- Joint controllers must enter into a specific arrangement, laying down their roles and responsibilities, in particular towards the data subjects.
- Such arrangement may take the form of a Memorandum of Understanding (MoU) or a contract. A Service Level Agreement (SLA) may be used in addition to the MoU as providing technical specifications or by itself.
Nature of Arrangements
- Should be discussed and agreed by ALL joint controllers
- Cannot be unilaterally adopted by one controller
- Should cover only the relevant processing operations and have a clearly defined scope (especially when it concerns a process that interfaces with other processes that the joint controllers may have in place)
- Should cover the subject matter, duration, nature and purpose of the processing operations
- Should cover the categories of personal data and data subjects involved in the processing operations
Substance of the Arrangements
- The respective responsibilities, roles and relationships, so that the lawfulness, fairness and proportionality of the processing operations in place may be identified
- The respective duties of the joint controllers to provide information
- The responsibilities for information security, including the reporting of personal data breaches
- A contact point for data subjects requests
- Cooperation between joint controllers for the reply to data subjects requests and as regards the exercise of other rights of the data subjects
- Cooperation between joint controllers when carrying out DPIAs
- Possible processor(s) engaged by one (or more) of the controllers
A reference to the joint controllership should be made in the public part of the record of the processing activities. The EDPS additionally recommends linking the agreement to the internal part of the record.
Informing Data Subject About the Arrangement
- Data subjects must be able to understand clearly the division of responsibilities and whom to address first.
- This information should be provided to data subjects through the data protection notice. Each of the controllers may have a separate data protection notice. However, joint controllers may also coordinate on a common data protection notice to be provided to data subjects.
- The arrangement may also assign the task of informing data subjects to one of the joint controllers.
Exercise of Data Subject Rights Under Joint Controllership
- The terms of the arrangement may not limit data subjects from exercising their rights.
- If the roles and responsibilities are defined in the arrangement between joint controllers, this should also include cooperation obligations between them for dealing with such data subject requests. Such cooperation obligations, for example, may provide for a set contact point to which data subjects could address their requests, such as a common email address. In practice, the modalities on the general responsibilities should be contained in the arrangement, while the details on the concrete instructions may be set out in the underlying documents.
- It is essential to make sure that a data subject may always contact each joint controller to request access, erasure or restriction.
The EDPS also provided a helpful flowchart to determine whether or not you are a controller: