October 26, 2020

Volume X, Number 300


October 26, 2020

Subscribe to Latest Legal News and Analysis

October 23, 2020

Subscribe to Latest Legal News and Analysis

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 2)

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”).  This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here.  Upcoming posts will address joint controllers, “third parties” and “recipients.”

Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.

Part II: Focus on Data Controllers

What is New in the Draft Guidelines?

Although the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorising data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.  Joint controller status will be the focus of our third blog in this series.

Controller determines purposes and means of processing

The basic criteria for determining what makes an organisation a controller remains the same as under the previous guidelines issued by the EDPB’s predecessor in February 2010 (“Opinion 1/2010 on the concepts of controller and processor”). This is unsurprising, since the EU General Data Protection Regulation (“GDPR”) has not changed the definition of controller that was codified by the 1995 EU Data Protection Directive 95/46/EC. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) GDPR). The draft Guidelines reaffirm that the controller determines both the “purposes” and “means” of the processing of personal data. The purposes and means were interpreted as the “why” and the “how” of the processing in the 2010 Opinion. Control can be exercised over the entirety of a processing activity or only over a particular stage in the processing of the data.

Processors often have discretion as to the means of the processing, furnishing their own tools and technologies.  The draft Guidelines suggest that this does not necessarily impact the role of the processors if such control is limited to non-essential means of the processing.  As examples of such non-essential means, the draft Guidelines refer to “more practical aspects of implementation” – such as which hardware or software should be used.  At the same time, controllers retain the sole control on the “essential means” of the processing, if they decide “which data shall be processed”, “which third parties shall have access to this data”, “when data shall data be deleted”, etc.

The draft Guidelines offer as an example the situation in which a company appoints a payroll administrator and notes that the “way in which the latter should carry out the processing is in essence clearly and tightly defined” even if the payroll processor may decide on certain matters “such as which software to use”.

The draft Guidelines observe that in some cases there is a thin line between the role of controller and processor, such as when companies appoint accountants. Often the accounting firm “decides itself, in accordance with legal provisions regulating the tasks of the auditing activities carried out by it that the data it collects will only be processed for the purpose of auditing the client and it determines what data it needs to have, which categories of persons that need to be registered, how long the data shall be kept and what technical means to use”.  In such cases, the accounting firm acts as a controller. However,“[i]n a situation where the law does not lay down specific obligations for the accounting firm and the client company provides very detailed instructions on the processing, the accounting firm would indeed be acting as a processor.”

The controller role may stem from applicable legal provisions, that is, when the law determines the controller or establishes specific tasks for the organisation.  The draft Guidelines provide as an example the processing activity of a municipality that has the obligation to provide social welfare benefits to citizens depending on their financial situation. Classification as a controller may also result from “factual influence.”  The draft Guidelines also provide the example of a law firm that acts with a “significant degree of independence” when representing a client (noting also that the mandate is “not specifically targeted to personal data processing”). Factual influence includes amongst other things the terms of a contract or the “traditional roles and professional expertise that normally imply a certain responsibility” (as in the case of an employer with respect to the processing of personal data of its employees).

Access to personal data is irrelevant to be a controller

The draft Guidelines clarify, consistent with case law from the Court of Justice of the European Union (Facebook Fan page (C-201/16) and Jehovah’s Witnesses (C-25/17)), that organisations which do not have access to the personal data being processed on their behalf cannot exclude themselves from being a controller. So, for example, an organisation that engages a service provider to carry out a market study and only receives aggregated or statistical data will still be classified as a controller in relation to the personal data analysed in order to prepare the market study, if the organisation determines the means and the purposes for which personal data should be collected and the parameters of the study.

Control cannot be artificially allocated

As set out in the draft Guidelines, “it is not possible either to become a controller or to escape controller obligations simply by shaping the contract in a certain way,” or by appointing a natural person within one’s organisation to implement a processing activity and designate such person as the controller.

Continuous obligation to ensure processors and sub-processors provide “sufficient guarantees

Controllers have the primary responsibility for compliance with the GDPR due to the accountability principle and other obligations imposed directly by the GDPR on controllers. The draft Guidelines stress the obligation of the controller to only engage processors that provide sufficient guarantees that the processing will meet the GDPR requirements. The EDPB clarifies that this obligation also applies to granting authorisation for processors to engage a sub-processor.  In practical terms, this means that controllers should add an extra layer to their due diligence process for engaging service providers when the latter in turn engage sub-processors.  Controllers should have contractual restrictions on the processor’s right to engage a sub-processor without the controller’s prior authorisation. There should be controls in place to check that the sub-processors provide “sufficient guarantees”. Where the controller grants a general authorisation, controllers should have the right to be informed of any changes to the list of approved sub-processors and an opportunity to object to any new sub-processors.  The obligation to check that engaged processors and sub-processors provide sufficient guarantees is a “continuous obligation”, which requires regular verification that is ultimately the responsibility of the controller, even if the controller delegated the vetting of sub-processors to processors.

Emphasis on purpose limitation when sharing data with other controllers or joint controllers

The draft Guidelines also emphasise the duty of each controller to ensure that the personal data disclosed to another controller or a joint controller are not further processed in a manner that is incompatible with the purposes for which the data was originally collected by the controller disclosing the data. In case the personal data is intended to be used for additional purposes by the controllers or joint controllers receiving the personal data, they should contractually commit to have a legal basis for such processing.

Contractual arrangements

The draft Guidelines also provide an interpretation of Article 28(3) GDPR reaffirming that written and binding agreements are necessary. The EDPB calls on controllers to add specific and concrete information on how processors are to comply with their GDPR obligations (additional detail may be found here). Specifically, the EDPB suggests adding procedures and template forms in contracts with processors to allow processors to assist controllers, where necessary (for example setting forth a detailed procedure that would apply in case the processor suffers a data breach or who does what in case the controller or the processor receives data subject requests, etc.) or to arrange for further instructions for such assistance.

A controller’s instructions should also cover international transfers of data outside the EEA. Where the processor is authorised to delegate some processing activities to other sub-processors, the contract must be clear on whether the controller allows for transfers to processors in third countries, including the processor’s own divisions or units in third countries.

The EDPB emphasises that the controller will not be able to escape responsibility in cases where it agrees to non-negotiable terms offered by large service providers acting as processors, and the terms violate the GDPR requirements. Consequently, controllers must assess their compliance risks and ensure that any such non-negotiable contracts do not impact their key processing activities involving personal data, key data subjects or major data flows.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 289



About this Author

Rosa Barcelo Data Privacy & Cybersecurity Attorney Squire Patton Boggs Brussels, Belgium

Rosa Barcelo co-chairs the firm’s global Data Privacy & Cybersecurity Practice. She counsels clients on data protection and privacy, including compliance with the GDPR and the ePrivacy Directive. Her expertise includes advising organizations on structuring international data transfers, BCRs, completing Data Protection Impact Assessments, drafting data processor agreements and carrying out lead authority assessments. Rosa’s practice has particular focus on cutting-edge ICT issues, including AI, machine learning, autonomous vehicles, programmatic advertising and online tracking...

+322 627 1107
Stephanie Faber International Business Attorney Squire Patton Boggs Paris, France
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs
  • Data breach management and notification
  • Database creation, international transfers (Privacy Shield, BCR and Model clauses), cloud, HR data (including employee monitoring), marketing usage, health data, financial-related services, etc.
  • Whistleblowing (including new mandatory requirement effective 1 January 2018)
  • Contract negotiations
  • Relations and registrations with the French data protection authority, the CNIL

The Intellectual Property & Technology Practice of the Paris office encompasses advising on, drafting and negotiating contracts in the following areas:

  • Commercial contracts, including distribution agreements, services and supply agreements, advertising agreements, logistic agreements, general conditions of sales and sponsoring agreements
  • Joint ventures, transfer of businesses, assets or licenses
  • French regulations applying to commercial businesses, including e-commerce such as consumer protection, competition, advertising, product liability, abrupt termination of ongoing commercial relationships, distance sales, on or offline gaming and lotteries, and use of French language
  • IT, media and telecom contracts and outsourcing
  • Communication and media regulations
  • French anticorruption regulation (including compliance programs required since 2017), UKBA and FCPA
  • Relationship with regulators such as the DGCCRF (in charge of consumer protection and competition in France) and the CSC (Commission of Safety for Consumers), as well as the ARCEP (French regulator of the electronic communications and postal sectors)

Her commercial practice also includes conflicts and pre-litigation situations.

Stephanie also provides vocational and client training on regulatory or contractual matters. She is a speaker at the Law School of University of Paris II Panthéon-Assas for its “Diplôme d'université de la protection des données – Data Protection Officer (DPO)” (Data protection – DPO university degree) aimed at training future DPOs under the new European General Data Protection Regulation (GDPR). The degree is open to professionals who already have a first experience.

Stephanie is a member of IAPP, French Privacy associations AFCDP and ADPO and ICC’s Commissions on Digital Economy and Corporate Responsibility and Anti-corruption.

Stephanie regularly writes articles in French and in English, on both the firm’s blogs and with specialised press. She has also spoken at various conferences in the UK, France, Brussels and the Middle East.

33 1-5383-7400
Asel Ibraimova Data Protection Attorney Squire Patton Boggs London, UK

Asel Ibraimova is an associate with expertise in the UK and European data protection matters. She is qualified as a Certified Privacy Professional/Europe.

Asel has worked in the healthcare industry and media industry as an in-house lawyer, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers,...

44 227-655-1208