Processor or Controller? It Really Depends
The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor.
The opinion determined that the Commission processes personal data in two situations. First, to set up access rights for individuals granted access to the System. Second, when transferring patient data from one member state to another through the System. In making their determination, the EDPB and the EDPS relied on the Article 29 Working Party’s Opinion on the test to be a controller or processor. Namely,
“while determining the purpose of the process would in any case trigger the qualification as a controller, determining the means would imply control only when the determination concerns the essential elements of the means. In this perspective, it is well possible that the technical and organizational means are determined exclusively by the processor.”
With this guidance in mind, the opinion focused on the fact that the Network: 1) made the decision to use eHDSI; and 2) determined the purpose of the personal data processing in eHDSI, i.e. “ensuring continuity of cross-border health care. By selecting eHDSI as the system, the Network chose the essential means of the processing. This was true even though the Commission created and maintained eHDSI and ultimately had exclusive control over eHDSI’s technical and organizational means. The opinion conceded that, as the supplier of the System, the Commission had a “certain degree of involvement” in defining the System’s security and communication standards, i.e. the means of processing. Nonetheless, when the Network used it decision-making power to decide which system to use, it chose the essential means of processing. Consequently, the opinion concluded that the Commission was acting as processor.
Putting it Into Practice. For entities trying to decide whether or not they are a “controller,” this recent opinion illustrates that controlling an environment where personal data is processed does not in itself make the entity a data controller. Instead, at least according to this opinion, the focus should be on which entity gets to choose the environment in which the processing occurs.