New Guidelines on Data Controllers and Processors: Time to Review Data-Processing Agreements
The European Data Protection Board (EDPB) recently launched a consultation into new guidelines on the roles of data controllers, joint controllers and processors under the EU General Data Protection Regulation (GDPR).
The guidelines review some of the basic concepts of the GDPR and are not intended to make fundamental changes to the legal position in respect of these three roles. Instead, the EDPB hopes to clarify the distinctions between the roles and provide practical examples to help businesses ensure their practices and arrangements are compliant. Nevertheless, the guidelines (if adopted) will likely require businesses to review their policies and contracts to ensure that they are meeting these standards.
Background to the Guidelines and Consultation
The new guidelines are part of the EDPB’s wider efforts to harmonize European data protection authorities’ (DPAs) approach to enforcing the GDPR. The guidelines build on the pre-GDPR opinion previously published by the Article 29 Working Party in 2010 and incorporate various related judgments of the Court of Justice of the European Union (CJEU).
The concepts of “controllers,” “joint controllers” and “processors” are crucial elements of the GDPR. Determining and assigning the roles and responsibilities appropriately is a critical part of GDPR compliance.
The essence of what defines a controller for data protection purposes has not changed under the guidelines. To be categorized as a controller, the legal entity in question must determine both the purpose and means of processing (i.e., both the “why” and “how”) and the controller remains ultimately responsible for compliance (and demonstrating compliance) with the GDPR. This reflects the basic principle that personal data must be collected for specified, explicit and legitimate purposes and must not be processed in any way that is incompatible with those purposes.
The new guidelines emphasize the distinction between the “essential” and “non-essential” means of processing. Decisions relating to all “essential” means (i.e., those closely linked to the purpose and scope of processing) must be taken by the controller. Decisions relating to the “non-essential means,” such as what IT systems or encryption techniques to use, can be left to the processor — provided the processor takes such decisions in accordance with the general instructions given by the controller relating to the security of the data. The controller will ultimately remain responsible for the implementation of appropriate measures to securely process data and must be able to demonstrate this.
The guidelines also clarify further nuances in the definition of controller, following recent cases. For example, the EDPB clarifies that it is not necessary for the controller to actually have access to the data being processed in order to qualify as the controller. Similarly, it is possible for a controller to be controller only in respect of some parts or stages of the processing activity.
To qualify as joint controllers, there must be some level of participation between two or more legally separate entities in determining both the purpose and means (or “essential” means) of data processing. In the guidelines, the EDPB clarifies that it is not necessary for joint controllers to have taken a “common decision” about why and how data will be processed (i.e., in the sense of taking a decision while sitting around a real or virtual table together). If two or more entities make “converging decisions,” this will be sufficient. The EDPB suggests these “converging decisions” should be interpreted as those where each entity’s decisions related to the processing complement one another, in which each decision is a necessary, “inextricably linked” element in determining why and how the data ends up being processed. In other words, the entities involved are invited to ask whether the processing would be possible without each party’s involvement in these decisions as to purpose and essential means.
As with independent controllers, the fact that an entity does not have access to the personal data does not preclude it from being a joint controller. Drawing on recent case law in the CJEU, the EDPB gave an example of a religious community organisation which was held to be a joint controller with its members. Where the community organisation participated in determining the purposes and means by organising and coordinating the activities of its members (helping to achieve its overall objectives), it could be a joint controller with its members, regardless of whether it had access to the personal data or whether it had given written guidelines or instructions relating to the data processing. This has practical impacts in a number of areas. For example, a franchisor could be a joint controller with its franchisees if, in fact, it determines the purposes and means of the processing — even in a scenario where the personal data always resides with the franchisee and where the franchisee makes its own decisions regarding the processing without instructions from the franchisor.
Even where entities do not have the same purpose for the processing, if the purposes are closely linked or complementary, this can give rise to joint controllership. Similarly, if an entity decides to make use of a tool or system developed by another party for its own purposes, following recent caselaw, this can be considered joint controllership. For example, where the administrator of a fan page hosted on Facebook defined the parameters of the fan page (based on its target audience) and managed and promoted the fan page, it was held to be a joint controller with Facebook (and therefore jointly responsible for cookies placed by the platform).
However, the EDPB highlights that the mere existence of a mutual (commercial) benefit does not give rise to joint controllership. If the entity involved in the processing does not pursue any purpose(s) of its own in relation to the processing and is simply being paid for providing services, then it will be acting as a processor rather than a joint controller.
The EDPB emphasises that joint controllers should document their relationship. The nature of contracts between data controllers and data processors is prescribed in relatively detailed terms under Article 28 of the GDPR. Requirements relating to joint controllers are, however, much less detailed. Joint controllers are required to make the “essence of the arrangement” available to data subjects. The EDPB recommends that the essence should cover at least the information which must be provided to data subjects under Articles 13 and 14 — and should set out clearly the responsibilities of the controllers under the GDPR and how between them they shall ensure all are met in detail. The EDPB highlights caselaw from the CJEU which has clarified that while joint controllers are jointly responsible, they will not necessarily have equal responsibility, depending on their exact involvement in all stages of processing. Given that data subjects may exercise their rights against any of the joint controllers, it is prudent for each to ensure that the others are equally committed to upholding the principles of the GDPR and meeting their share of the obligations.
The clarification as to when entities become joint controllers has an impact on the role of the processor. Under the GDPR, processors must be a separate entity in relation to the controller and must only process data on the express instructions of the data controller. The EDPB gives the example of a group company acting as a processor on behalf of another group company, whereas a department within the same company or entity would not generally be regarded as a processor for another department. A processor will be in breach of the GDPR if it goes beyond or against the lawful instructions of a controller, with the exception given in the guidelines that processors can make decisions as to the “non-essential” means of processing. Processors must be clear on where the line lies between their instructions and decisions they are permitted to make. Where they are making decisions outside of their remit, this will not only put them in breach of the GDPR, but will also mean that they are considered a controller in respect of that processing and, accordingly, be subject to the additional requirements and liabilities of data controllers.
Documenting the Relationships – Revisiting Data Processing Agreements
The EDPB states that while the requirements in Article 28 regarding agreements between controllers and processors constitute the core content of any agreement, they are not enough in themselves. The agreement should be a way for the controller and the processor to clearly allocate their respective responsibilities for protecting the rights of data subjects and should detail how the core concepts will be implemented. They should therefore include concrete instructions on the nature and scope of the processing activities and, in particular, the security arrangements. Agreements which simply restate the requirements of Article 28, without the additional operational, practical layer, will not be sufficient. This will come as somewhat unwelcome (but not entirely unexpected) news for controllers and processors who have worked hard to implement data processing agreements covering myriad different processing activities, relationships and vendors. For purely practical reasons, given the sheer volume of agreements that needed to be implemented, many simply contained the bare bones of the Article 28 requirements. These may need to be fleshed out, particularly given that appointing data processors is not a one-time event, but an ongoing imperative that requires active management by the controller during the lifetime of the processing activities.