European Data Protection Board Publishes Guidelines on the Concepts of Controller and Processor, Brings New Light on the Notion of "Joint Controllers"
The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020, the Guidelines) and on the targeting of social media users (Guidelines 08/2020- see our alert here). The earlier aims to replace the previous opinion by EDPB’s predecessor, the WP29, on these concepts by clarifying the main concepts of “controller”, “joint-controllers” and “processor” and by specifying the consequences attached to these notions.
CONTROLLER OR PROCESSOR: TELL ME WHAT YOU ARE DOING AND I WILL TELL YOU WHAT YOU ARE
To determine whether an entity is a controller or a processor, the EDPB highlights the necessity to look at the entity that initiates, participates, and dictates the decision-making process regarding the purposes and the means of the processing operations at stake.
In some cases, applicable law may mandate an entity to process personal data for specific purposes and in this limited instance, the determination of the controller will be the easiest scenario.
However, where such an assessment is more complex, the Guidelines mandates a closer look at factual circumstances and, following the letter of Article 4.7 GDPR, analysis on a per-processing basis, the elements pointing toward the stakeholder which determines the purposes (i.e., the “why”) and the means (i.e., the “how”) of a given processing operation. On this particular point, the EDPB clearly stated in the Guidelines that the mere determination of the purposes was not sufficient to qualify as a data controller, and added that instructions provided by a data controller to its data processor should also be documented so as to clarify the characterization of the respective roles.
Therefore, according to the EDPB, the decision-making process is at the core of the assessment and the fact that a contract states that an entity is not a controller, or even the fact that the actual controller would never have any direct access to the underlying personal data, and have no influence as to whether an entity would be characterized as a data controller.
As for the notion of processor, after reminding that controllers and processors must be separate entities, the EDPB outlined the requirement to look at the degree of influence an entity may exert over another, as a processor should always act on behalf of the controller and never on its own.
In some cases, however, a processor may participate in the decision-making process of the data processing pertaining to the means of the processing without prejudice to its qualification as a processor, inasmuch as the entity only participates in the determination of the non-essential means of processing.
In that regard, the EDPB dissociated two categories of means:
Essential means that can only be determined by a controller and which deal with the type of data processed, the duration of the processing, the categories of data subjects, etc.
Non-essential means that can also be determined by the processor and which deals with more practical aspects of the processing such as the choice of software, etc.
CONTROLLER AND PROCESSOR: A RELATIONSHIP BOUND BY A CONTRACT
Further to Article 28 GDPR, controllers and processors must formalize their relationship in a written legal instrument with binding effect, which can be electronic form. Such data processing agreement (DPA) must address all the elements listed in this Article, but should not consist in a mere restatement of the regulatory provisions. Indeed, while GDPR provides for general goals to be achieved, it is left to the parties to negotiate the specific and operational implementation to achieve these goals, in particular with regard to the cost of the compliance and the cooperation between controllers and processors, especially in case of a data breach.
Furthermore, the DPA must also describe in detail (i) the key aspects of the processing operations (e.g., the data subjects and categories of data involved), and (ii) the security measures implemented by the processor to safeguard the personal data under its custody. While a processor may propose its form, the onus will remain on the controller to ensure that such description are not only specific enough but also sufficient to ensure its own compliance with GDPR.
Finally, as part of the effective exercise of their control over the processing operation, controllers should always be informed prior to the change or engagement of sub-processors by their processor and should in any case have the possibility to object to such appointment.
JOINT-CONTROLLERS: TWO SIDES OF A SAME COIN
Building on several decisions by the Court of Justice of the European Union (Wirtschaftsakademie - C‑210/16 and Fashion ID - C‑40/17), the EDPB also provided guidance for situations where two or more entities participate in determining the purposes and the means of the processing, thereby acting as “joint-controllers”.
Here again, the factual circumstances of the processing activity will be the key to the characterization, notably with regard to the “common intention” of the stakeholders.
Such common intention may not simply result from mere mutual benefit from the processing operation (e.g., a processor will benefit from the processing in terms of financial compensation, but would not pursue the same purposes as the controller). It will however result from the shared participation in the decision-making process, such as joint decisions or through converging decisions complementing each other. In that regard, the impossibility to carry out an operation without the validation of one of the entities would characterize a sufficient interdependency consistent with a joint-controllership finding.
JOINT-CONTROLLERS: A RELATIONSHIP BOUND BY A CONTRACT (AGAIN)
Further to Article 26 GDPR, joint-controllers need to allocate their respective responsibilities based on the factual circumstances of the processing. In that aspect, the EDPB extrapolated on GDPR by requiring that the arrangement reflecting this allocation be a written contract. Such soft-law requirements aim at fostering transparency and accountability.
Considering that joint controllers will also be jointly and severally liable to data subjects and the Supervisory Authorities alike, contractual warranties among joint controllers should also be considered a best practice.
This allocation will also need to address which of the joint-controllers will be in charge of informing the individuals in accordance with Articles 13 and 14 GDPR as well as any follow-up engagement with them with regard to the exercise of their rights.
Even if they retain a certain degree of flexibility in their agreement, joint-controllers will need to allocate their respective roles and responsibilities on the basis of the factual circumstances of the processing. While the EDPB recommends to document such assessment with the factors taken into account and the analysis conducted for the distribution in line with the accountability principle, it remains to be seen what latitude supervisory authorities would have in reviewing private contracts with a relative effect, as GDPR only requires a document to exist but, unlike for controller/processor relationship, does not provide for any mandatory provisions to be included.
ACTIONS ITEMS FOR COMPANIES IMPLEMENTING PROCESSING OPERATIONS WITH OTHERS
While the Guidelines provide a bit more clarity on specific controller/processor relationships, the main takeaway focuses on the joint-controllership relationships, which have been often neglected by stakeholders. While waiting for the revised and final Guidelines later this year, the following best practices should already be considered:
Assessing the operational aspects of data collection and processing activities, especially pertaining to the decision-making process, to determine whether you are a controller, a processor, or a joint-controller;
Whether acting as a controller or processor, reviewing your data protection agreements to ensure that the requirements set forth under Article 28 GDPR are given their full practical effect and, as the case may be, renegotiate such agreements;
When acting as a joint controller, ensure that a proper joint-controllership arrangement has been implemented and not merely a data processing agreement; and