Sep 182020

EDPB Publishes Draft Guidelines on the Concepts of Controller and Processor under the GDPR

William RM Long, Francesca Blythe and Denise Kara
, , ,

On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.

The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.

The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.

Below is a summary of some of the key takeaways from the Draft Guidelines.

  • Essential and Non-Essential Means for Processing: As per the WP29 Guidance, the Draft Guidelines make clear that a processor can determine “non-essential” means of processing (i.e., without becoming a controller), but that a controller will always be the entity to determine the “essential” means of processing. The Draft Guidelines provide further examples of what such essential and non-essential processing may entail.
  • No Requirement for Access to Data: In line with recent CJEU case law, the Draft Guidelines confirm that it is not necessary for a controller to actually have access to the personal data in order to be considered a controller of that data. An entity that has “determinative influence” on the purpose and (essential) means of the processing is to be regarded as a controller irrespective of any actual access to such data.
  • Criteria for Joint Control: To qualify as a joint controller, two or more controllers must jointly participate in determining the purposes and means of a processing activity. According to the EDPB, joint participation requires either a “common decision” (i.e., both controllers taking decisions about the processing together) or a “converging decision” (i.e., both controllers taking decisions about the processing which differ but complement each other and are necessary for the processing to occur). In the case of a “converging decision”, the EDPB notes that each party must be inseparable and “inextricably linked”. Further, according to the EDPB, the use of a common data processing system will not always result in a relationship of joint control.
  • The Essence of the Joint Controller Relationship Should Be Prescriptive: The “essence of the arrangement” between joint controllers should be made available to data subjects and should specify which joint controller is responsible for ensuring compliance with each of the elements of information required by Articles 13 and 14 of the GDPR.
  • Processor as a Distinct Legal Entity: The processor must be a separate legal entity in relation to the controller. Within a group of companies, a processor may be another group company, but not a department within a company for another department within that same company.
  • Controllers Must Assess the Guarantees Provided by Processors: The EDPB requires that a controller must assess whether a processor provides sufficient guarantees to implement appropriate technical and organisational measures , and in particular should consider the processor’s: (i) expert knowledge (e.g., technical expertise with regard to security measures and data breaches); (ii) reliability; and (iii) resources. Controllers may also consider a processor’s adherence to an approved code of conduct or certification mechanism and reputation in the market, where relevant. In addition, the EDPB is clear that this assessment should be carried out at appropriate intervals, and not only at the time a processor is onboarded.
  • Amendments to Processing Provisions Must Be Approved: Controllers must be notified of, and approve, any proposed modification by a processor to data processing agreements incorporated in standard terms and conditions. The EDPB is clear that unilateral amendments e.g., via publication of these modifications on the processor’s website, are not compliant with Article 28 of the GDPR.
  • Processing Provisions Should Extend Beyond Article 28: Data processing provisions entered into between a controller and a processor must not merely restate the provisions of Article 28 of the GDPR. Instead, the provisions should include more specific and concrete information as to how GDPR requirements will be met and the level of security required for the personal data. For example, criteria to guide the processor’s selection of any sub-processors should be set out (e.g., technical and organisational guarantees, expert knowledge, reliability and resources).
  • Controllers Must Be Given a Right to Object to Sub-Processing: Where the controller provides a general authorisation for the use of sub-processors, the processor must inform the controller of any intended addition or replacement to the sub-processors and give the controller an opportunity to object to such changes. Where a controller decides to accept certain sub-processors at the time of signing the agreement, a list of approved sub-processors should be included in the contract or in an annex to the contract.
William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Denise Kara

London

dkara@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.