June 16, 2021

Volume XI, Number 167

Advertisement

June 15, 2021

Subscribe to Latest Legal News and Analysis

June 14, 2021

Subscribe to Latest Legal News and Analysis

Can a Processor Decide Which Third Parties Should Have Access to Personal Data?

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. Determining the “means” of processing refers to deciding “how” information will be processed.1 That does not necessarily mean, however, that a controller must make every decision with respect to the processing of information.

The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means.”2 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, considered by the EDPB to be “traditionally and inherently reserved to the controller.”3 In other words, essential means are decisions regarding how personal data will be processed that a controller cannot delegate to a third party. The EDPB has taken the position that one of the essential means of processing that should be decided by a controller is the determination of the “categories of [data] recipients.”4 Put differently, a controller is expected to answer the question of “who shall have access” to personal data.5 If a processor takes it upon itself to decide which third parties should be permitted to receive personal data, there is a chance that a supervisory authority may view the processor as acting in the capacity of a controller.


Can a processor decide whose personal data will be processed?

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. Determining the “means” of processing refers to deciding “how” information will be processed.6 That does not mean, however, that a controller must make every decision with respect to the processing of information.

The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means”.”7 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, considered by the EDPB to be “traditionally and inherently reserved to the controller.”8 In other words, essential means are decisions regarding how personal data will be processed that a controller cannot delegate to a third party. The EDPB has taken the position that one of the essential means of processing is determining “the categories of data subjects” whose information will be processed.9 Put differently, a controller is expected to answer the question of “whose personal data” will be processed.10 If, instead, a processor decides whose information should be processed there is a chance that a supervisory authority may view the processor as acting in the capacity of a controller in relation to the personal data.


Can a processor decide how long data should be stored?

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. [11] Determining the “means” of processing refers to deciding “how” information will be processed.[12] That does not mean, however, that a controller must make every decision with respect to the processing of information.

The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means”.[13] Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, considered by the EDPB to be “traditionally and inherently reserved to the controller.”[14] In other words, these are decisions regarding how personal data will be processed that a controller should not delegate to a third party. The EDPB has taken the position that one of the essential means of processing is “the duration of the processing.”[15] As a result, a controller is expected to answer the question of “how long shall [personal data] be processed?” [16] If, instead, a processor selects the duration of processing there is a chance that a supervisory authority may view the processor as a controller in relation to the personal data.


[1] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[2] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[3] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[4] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[5] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[6] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[7] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[8] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[9] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[10] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[11] GDPR, Article 4(7).

[12] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[13] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[14] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[15] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[16] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

 

 

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 127
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement