On 2 September 2020, the European Data Protection Board ("EDPB") published new Guidelines 07/2020 ("Guidelines") for public consultation on the concepts of controller and processor under the European General Data Protection Regulation ("GDPR"). Once finalised, the Guidelines will replace the previous Working Party 29 Opinion 1/2010 (WP169), upon which they build.
Where more than one party is involved in the processing of personal data, the question of the respective roles of the parties with regard to the processing activities arises. The concepts of controller and processor and the interactions between them play a crucial role in the application of the GDPR, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.
The Guidelines clarify the criteria that can be used by businesses to assess their roles on processing activities, and contain practical flowcharts as Annexes illustrating how these criteria apply in different scenarios. From this, it is clear that joint controllership is more likely to occur than perhaps businesses may have anticipated in the past for instance where there is no joint determination of purposes, but there is a convergence of decisions on the purposes and means of processing that leads to inseparable processing activities by joint controllers. Another important point made by the Guidelines is the need for real operative terms to be set out in Data Processing Agreements between joint controllers as well as controllers and processors that detail how personal data will be handled by the parties in practice. Simple restatements of the GDPR provisions will not be sufficient.
Controller is a party that decides certain key elements of the processing. In practice, it is usually necessary to analyse the factual elements or circumstances of the case in order to identify the entity or entities that act as controller(s). Certain processing activities are naturally attached to the role of an entity, which then acts as a controller (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.
A controller is the body that determines both the purposes and means of processing, i.e. the why and how of the processing. The EDPB confirms that it is not necessary for a controller to have access to the personal data that is being processed to be qualified as a controller.
The Guidelines distinguish between the determination of the essential means of processing (which and whose data shall be processed? for how long? who shall have access?) which is reserved to controllers, and the non-essential means, concerning practical aspects of implementation (e.g. the choice of a particular type of hardware or software, or the security measures), which can be left for the processor to determine.
As well as determining these non-essential means, a processor can offer a service that is preliminarily defined, e.g. the cloud hosting service may offer a worldwide standardised service. However, the controller has to approve the way the processing is carried out and to be able to request changes if necessary.
It is clear from the Guidelines that an entity can be a data controller for a single processing operation or a series of operations, and can simultaneously act as a controller for certain processing activities and as a processor for others. Companies must, therefore, carefully consider their position with regards to each processing operation carried out.
Though the concept of joint controllers is not new, Article 26 of the GDPR introduced specific rules and a framework to govern their relationship.
The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of the processing operation. The most common understanding of joint participation is common decision making, i.e. two or more entities deciding together with common intention. But joint participation can also arise through converging decisions. This would occur where the decisions of both parties complement each other and are necessary for the processing to take place, i.e. the processing would not be possible without both parties' participation, and processing activities by each party are inseparable or inextricably linked.
Joint purpose or complementary purposes
The Guidelines confirm that joint controllership may also arise where there is a jointly defined purpose or purposes which are closely linked or complementary, e.g. where there is a mutual benefit arising from the same processing operation, provided that each of the entities involved participates in the determination of the purposes and means of the relevant processing operation. For example, by creating a page on a social media network to promote its activities, a business defines the parameters of the target audience. Note that the mere existence of mutual benefit arising from a processing activity does not give rise to joint controllership.
External tools and systems
A choice by a party to use for its own purposes a tool or other system developed by another entity, allowing the processing of personal data, will likely amount to a joint decision on the means of that processing by those entities. This scenario can notably arise in case of platforms, standardised tools, or other infrastructure allowing the parties to process the same personal data and which have been set up in a certain way by one of the parties to be used by others that can also decide how to set it up. For instance, a business creating a page on a social media network and determining parameters based on its target audience must be seen as determining the means of processing personal data of visitors to their page. On the other hand, there is no joint controllership if the processing is separable and could be performed by one party without intervention from the other, or where the provider is a processor in the absence of any purpose of its own.
Distribution of responsibilities – joint controller agreement
The EDPB recommends that the joint controller arrangement, required by Article 26, shall take the form of a binding document, such as a contract, for the sake of legal certainty and as evidence of transparency and accountability. The essence of this joint controller arrangement shall be made available to the data subject. In distributing responsibilities, Article 26(1) of the GDPR states that joint controllers must consider "in particular" their obligations as regards the exercising of rights of data subjects and the duties to provide information referred to in Articles 13 and 14. Joint controllers need to ensure the whole joint processing fully complies with the GDPR, and shall consider, amongst others as the case may be, obligations regarding notification of a personal breach to the supervisory authority and to the data subject (Articles 33 and 34 GDPR), data protection impact assessments (Articles 35 and 36) and transfers of data to third countries (Chapter V). Also, the relevant factors that led to the allocation of responsibilities between joint controllers should be documented.
Depending on the processing activities and intention of the parties, any limitations on the use of personal data for another purpose by one of the joint controllers should also be considered. Joint controllers must ensure they both have a legal basis for the processing and where personal data is shared by one controller to another, each controller has a duty ensure that the data is not further processed in a manner incompatible with the purposes for which they were originally collected by the controller sharing the data.
The Guidelines emphasise that joint responsibility does not equate to equal responsibility. The level of responsibility must be assessed with regard to all relevant circumstances of a particular case and with regard to each processing operation undertaken.
A processor may only act "on behalf of" a controller. As provided in Article 28(10), a processor infringes the GDPR by going beyond the controller's instructions and determining its own purposes and means of processing. The processor will be considered a controller in respect of such processing and may be subject to sanctions for going beyond the controller's instructions.
Not every service provider that processes personal data in the course of delivering a service is a "processor" within the meaning of the GDPR. The Guidelines emphasise that the role of processor stems from the concrete activities in specific context, not that entity's nature, noting that where a service is not specifically targeted at processing personal data or where such processing does not constitute a key element of the service, the service provider may be in a position to independently determine the purposes and means of that processing. In that situation, the service provider is to be seen as a separate controller rather than a processor.
Data Processing Agreements ("DPA")
Article 28 requires that every time a controller uses a processor to process personal data, there must be a written contract that binds the processor to the controller in respect of its processing activities. This is also the case where a processor uses a sub-processor, with the addition that such contract must offer an equivalent level of protection for the personal data as those that exist in the contract between the controller and processor. The written contract is generally referred to as a DPA. The Guidelines emphasise that the DPA should not just restate the provisions of the GDPR but include more specific, concrete information how the Article 28 requirements will be met.
Controllers should only use "processors providing sufficient guarantees to implement appropriate technical and organisational measures". The Guidelines highlight that it is not enough to have guarantees in the contract, the controller must assess the sufficiency of the guarantees provided for the specific relationship. The guarantees provided are therefore actually those that the processor is able to demonstrate to the satisfaction of the controller in order for the controller to be able to take them into account in its assessment. Also, the DPA should document the specific and minimum necessary technical and organisation measures the processor should implement and not just repeat Article 32 of the GDPR.
To address a culture of "tick-box" privacy compliance when drafting DPAs, the Guidelines focus on ensuring accountability and detailing the processing activities to be conducted. With regard to the processor's duties of assistance pursuant to Article 28(3)(f) of the GDPR (security of processing, notification of personal data breaches, data protection impact assessment and prior consultation), the DPA should not just restate the Article 28 requirements but contain details as to how the processor is asked to help the controller meet the listed obligations. For example, it is recommended that a specific timeframe for notification by a processor to a controller of breach and a point of contact should be provided.
In-keeping with its emphasis on the duty of accountability, the EDPB recommends that, as processing instructions from the controller must be documented, a procedure and a template for such instructions be included in an annex to the DPA. It is further suggested that parties negotiate and agree the consequences of a notification by the processor of an infringing instruction in case of inaction from the controller in this context.
Where a processor engages other processors (sub-processors), prior specific or general written authorisation must be obtained from the controller. Specific authorisation must refer to a specific sub-processor for a specific processing activity and at a specific time. Where general authorisation has been given for the use of sub-processors (i.e. a list of sub-processors is annexed to the DPA), the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object. In both scenarios, the DPA should include details as to the timeframe for the controller's approval or objection and the intended method of communication for this. When setting the timeframe, the parties should consider the type of processing, complexity of activities and the parties' relationship.
The Guidelines are open to public consultation until 19 October 2020. Following the consultation period and review of contributions received, the Guidelines will be formally adopted by the EDPB. In advance of the Guidelines being finalised, organisations should review their relationships and contracts with third parties that involve the sharing of personal data to make sure that their DPAs and Joint Controller Agreements are amended to reflect the likely roles and respective responsibilities of the parties and include specific, operative measures to fulfil the requirements of Articles 28 and 26 of the GDPR in practice.