EDPB Publishes Draft Guidelines on the Concepts of Controller and Processor under the GDPR

On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.

The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.

The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.

Below is a summary of some of the key takeaways from the Draft Guidelines.

  • Essential and Non-Essential Means for Processing: As per the WP29 Guidance, the Draft Guidelines make clear that a processor can determine “non-essential” means of processing (i.e., without becoming a controller), but that a controller will always be the entity to determine the “essential” means of processing. The Draft Guidelines provide further examples of what such essential and non-essential processing may entail.
  • No Requirement for Access to Data: In line with recent CJEU case law, the Draft Guidelines confirm that it is not necessary for a controller to actually have access to the personal data in order to be considered a controller of that data. An entity that has “determinative influence” on the purpose and (essential) means of the processing is to be regarded as a controller irrespective of any actual access to such data.
  • Criteria for Joint Control: To qualify as a joint controller, two or more controllers must jointly participate in determining the purposes and means of a processing activity. According to the EDPB, joint participation requires either a “common decision” (i.e., both controllers taking decisions about the processing together) or a “converging decision” (i.e., both controllers taking decisions about the processing which differ but complement each other and are necessary for the processing to occur). In the case of a “converging decision”, the EDPB notes that each party must be inseparable and “inextricably linked”. Further, according to the EDPB, the use of a common data processing system will not always result in a relationship of joint control.
  • The Essence of the Joint Controller Relationship Should Be Prescriptive: The “essence of the arrangement” between joint controllers should be made available to data subjects and should specify which joint controller is responsible for ensuring compliance with each of the elements of information required by Articles 13 and 14 of the GDPR.
  • Processor as a Distinct Legal Entity: The processor must be a separate legal entity in relation to the controller. Within a group of companies, a processor may be another group company, but not a department within a company for another department within that same company.
  • Controllers Must Assess the Guarantees Provided by Processors: The EDPB requires that a controller must assess whether a processor provides sufficient guarantees to implement appropriate technical and organisational measures , and in particular should consider the processor’s: (i) expert knowledge (e.g., technical expertise with regard to security measures and data breaches); (ii) reliability; and (iii) resources. Controllers may also consider a processor’s adherence to an approved code of conduct or certification mechanism and reputation in the market, where relevant. In addition, the EDPB is clear that this assessment should be carried out at appropriate intervals, and not only at the time a processor is onboarded.
  • Amendments to Processing Provisions Must Be Approved: Controllers must be notified of, and approve, any proposed modification by a processor to data processing agreements incorporated in standard terms and conditions. The EDPB is clear that unilateral amendments e.g., via publication of these modifications on the processor’s website, are not compliant with Article 28 of the GDPR.
  • Processing Provisions Should Extend Beyond Article 28: Data processing provisions entered into between a controller and a processor must not merely restate the provisions of Article 28 of the GDPR. Instead, the provisions should include more specific and concrete information as to how GDPR requirements will be met and the level of security required for the personal data. For example, criteria to guide the processor’s selection of any sub-processors should be set out (e.g., technical and organisational guarantees, expert knowledge, reliability and resources).
  • Controllers Must Be Given a Right to Object to Sub-Processing: Where the controller provides a general authorisation for the use of sub-processors, the processor must inform the controller of any intended addition or replacement to the sub-processors and give the controller an opportunity to object to such changes. Where a controller decides to accept certain sub-processors at the time of signing the agreement, a list of approved sub-processors should be included in the contract or in an annex to the contract.