The European Data Protection Board (EDPB or Board) issued final guidelines on how to determine who are controllers and processors under the General Data Protection Regulation (GDPR). Last September, the Board launched this initiative to update the guidance of the predecessor of the EDPB, the Article 29 Working Party 29, on controllers and processors under the GDPR’s predecessor regime. These guidelines should regularize across the European Union how controllers and processors are demarcated and ultimately regulated. Of course, the document can also help entities in the data collection and processing realm determine which role they have and therefore their responsibilities under the GDPR. Today, I will look at the first half of the document and finish up tomorrow.
At the beginning of the Board explained the purpose of the document:
The concept of controller and its interaction with the concept of processor play a crucial role in the application of the GDPR, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The GDPR explicitly introduces the accountability principle, i.e. the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data in Article 5. Moreover, the GDPR also introduces more specific rules on the use of processor(s) and some of the provisions on personal data processing are addressed – not only to controllers – but also to processors.
Much of the above seems straight forward and self-explanatory. Of course, who is and is not a controller is crucial under the GDPR, for one’s compliance responsibilities are determined in large part by who the party is.
The EDPB continued:
- It is therefore of paramount importance that the precise meaning of these concepts and the criteria for their correct use are sufficiently clear and shared throughout the European Union and the EEA.
- The Article 29 Working Party issued guidance on the concepts of controller/processor in its opinion1/2010 (WP169) in order to provide clarifications and concrete examples with respect to these concepts. Since the entry into force of the GDPR, many questions have been raised regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles. Questions were raised in particular to the substance and implications of the concept of joint controllership (e.g. as laid down in Article 26 GDPR) and to the specific obligations for processors laid down in Chapter IV (e.g. as laid down in Article 28 GDPR). Therefore, and as the EDPB recognizes that the concrete application of the concepts needs further clarification, the EDPB now deems it necessary to give more developed and specific guidance in order to ensure a consistent and harmonized approach throughout the EU and the EEA. The present guidelines replace the previous opinion of Working Party 29 on these concepts (WP169).
Uniformity among all the nations enforcing the GDPR on how the terms and their attendant obligations are construed is the primary goal of the document.
Moreover, the EDPB’s construction of these definitions flows the foundational principle of data protection law in the EU: accountability. Controllers, in particular, must be accountable for meeting all the obligations under the GDPR and be able to demonstrate compliance. The Board explained:
- The GDPR, in Article 5(2), explicitly introduces the accountability principle which means that:
- – the controller shall be responsible for the compliance with the principles set out in Article 5(1) GDPR; and that
- – the controller shall be able to demonstrate compliance with the principles set out in Article 5(1) GDPR.
- This principle has been described in an opinion by the Article 29 WP and will not be discussed in detail here.
- The aim of incorporating the accountability principle into the GDPR and making it a central principle was to emphasize that data controllers must implement appropriate and effective measures and be able to demonstrate compliance.
The EDPB also stresses that controllers and processors are subject to some of the GDPR’s more specific accountability requirements that are not enumerated in Article 5. For example, the Board stated:
However, some of the more specific rules are addressed to both controllers and processors, such as the rules on supervisory authorities’ powers in Article 58. Both controllers and processors can be fined in case of non-compliance with the obligations of the GDPR that are relevant to them and both are directly accountable towards supervisory authorities by virtue of the obligations to maintain and provide appropriate documentation upon request, co-operate in case of an investigation and abide by administrative orders. At the same time, it should be recalled that processors must always comply with, and act only on, instructions from the controller.
Thus, the EDPB concludes its reasoning as to why the guidelines are needed:
The accountability principle, together with the other, more specific rules on how to comply with the GDPR and the distribution of responsibility, therefore makes it necessary to define the different roles of several actors involved in a personal data processing activity.
The EDPB makes clear, however, that the concepts of controller and processor have not changed since the Article 29 Working Party’s 2010 construction of them. Moreover, the terms have the same role in apportioning responsibilities. Consequently, discerning who is a controller and who a processor is necessarily a fact driven finding and will be made immaterial of whatever term a party may claim for itself or assign to another entity. This necessarily suggests data protection authorities (DPA) will need to dig into an entity’s contracts and business arrangements before it will deem a party a controller. Moreover, it is not hard to imagine resource deprived DPAs taking an extended period of time to make this threshold determination before it can properly conduct an investigation of GDPR compliance.
On this latter point, the EDPB concedes that controller and processor are terms with meanings in other legal and policy fields but stresses these terms have no place in the GDPR. One can imagine lawyers and companies trying to push back against a finding that an entity is a controller through the use of similar terms. The Board wants to foreclose that possibility through declaring the same term in other fields has no place in the EU’s data protection scheme.
The Board also advises that the determination of who is a controller should be made as widely as the GDPR will allow in order for EU and European Economic Area (EEA) residents to enjoy data protection rights but also to avoid gaps in the law.
The Board recites the GDPR’s definition of a controller and then analyzes each phrase:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
It is interesting that the EDPB makes the decision to functionally restrict the definition of controller to organizations when the GDPR makes clear it can be any natural or legal person. The advocacy organization, none of your business, makes this point in their comment on the draft guidelines:
When reading the Guidelines it seems striking to us that -while highlighting that a controller may be a “natural person”-all examples and Guidelines are dealing with business to business or government relationships. The Guidelines currently leave the reader with the impression that natural persons are solely playing a role as data subjects. Nothing could be further from reality: Just like the example on page27 of the Guidelines that deals with the use of cloud services by a municipality, private users equally use cloud providers for their purposes, run their own servers and webpages or use their email accounts. Especially many open source projects and attempts to have users keep their own data locally or in a secure cloud environment aim to regain the factual and legal power of users over their personal data.
It seems like an unnecessary road to take. The plain language of the GDPR permits a person to be a controller, and the EDPB could have adopted language to the effect that most controllers are organizations or bodies. Nonetheless, the Board does stress that the people making decisions about data processing in any given organization are not controllers, and the organization itself is. This point needs making to forestall organizations blaming GDPR violations on employees.
The Board next construes “determines” in the definition of controller as being the portion from which constructions of “control” flow (i.e. “the controller’s influence over the processing, by virtue of an exercise of decision-making power.”) The Board hints that this finding should ideally be made on the basis of facts about the processing as opposed to working from legal analysis. Be that as it may, the EDPB stated:
In most situations, the “determining body” can be easily and clearly identified by reference to certain legal and/or factual circumstances from which “influence” normally can be inferred, unless other elements indicate the contrary. Two categories of situations can be distinguished: (1) control stemming from legal provisions; and (2) control stemming from factual influence.
Absent a legal responsibility that clearly makes one a controller, the EDPB advises that “[i]n many cases, an assessment of the contractual terms between the different parties involved can facilitate the determination of which party (or parties) is acting as controller.” Moreover, “[i]f one party in fact decides why and how personal data are processed that party will be a controller even if a contract says that it is a processor.”
In terms of the possibility of there being multiple controllers, the EDPB asserts that “several different entities may act as controllers for the same processing, with each of them then being subject to the applicable data protection provisions…[and] an organisation can still be a controller even if it does not make all the decisions as to purposes and means.” But more on joint controllers later.
The EDPB goes to lengths to explain that whoever determines the how and why of the processing (i.e. the purpose and means) will be found to be a controller regardless of title or role. And yet, the EDPB conceded that matters are sometime not so cut and dried and stated that “there is a need to provide guidance about which level of influence on the “why” and the “how” should entail the qualification of an entity as a controller and to what extent a processor may make decisions of its own.”
The Board declares that “[d]ecisions on the purpose of the processing are clearly always for the controller to make” (in other words, the why of the processing.) On the how, things get blurrier and will depend on whether the means of processing are essential or non-essential. The former “are traditionally and inherently reserved to the controller” and
are closely linked to the purpose and the scope of the processing, such as the type of personal data which are processed (“which data shall be processed?”), the duration of the processing (“for how long shall they be processed?”), the categories of recipients (“who shall have access to them?”) and the categories of data subjects (“whose personal data are being processed?”).
Non-essential means, on the other hand, are choices a processor will often make without consultation or input from a controller such as which hardware or software to use or appropriate security measures to implement.
The EDPB then turns back to joint controllers and remarks:
While the concept is not new and already existed under Directive 95/46/EC, the GDPR, in its Article 26, introduces specific rules for joint controllers and sets a framework to govern their relationship. In addition, the Court of Justice of the European Union (CJEU) in recent rulings has brought clarifications on this concept and its implications.
Not surprisingly, the determination of when there are joint controllers is mostly but not entirely fact driven. Titles and purported roles will count for little, and an organization or a DPA will need to dig into who is calling the shots with respect to the why of the data processing and also the how in terms of essential and non-essential means.
The EDPB explains:
Article 26 GDPR, which reflects the definition in Article 4 (7) GDPR, provides that “[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.” In broad terms, joint controllership exists with regard to a specific processing activity when different parties determine jointly the purpose and means of this processing activity. Therefore, assessing the existence of joint controllers requires examining whether the determination of purposes and means that characterize a controller are decided by more than one party. “Jointly” must be interpreted as meaning “together with” or “not alone”, in different forms and combinations,
And yet, the EDPB cautions that the involvement of several entities in processing does not automatically give rise to a finding that there are joint controllers:
Not all processing involving several entities give rise to joint controllership. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing. More specifically, joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand. If each of these elements are determined by all entities concerned, they should be considered as joint controllers of the processing at issue.
Moreover, the EDPB notes that “joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities regarding the purposes and essential means.”
The EDPB then pays heed to CJEU case law on joint controllers in noting:
The situation of joint participation through converging decisions results more particularly from the case law of the CJEU on the concept of joint controllers. Decisions can be considered as converging on purposes and means if they complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing. It should be highlighted that the notion of converging decisions needs to be considered in relation to the purposes and means of the processing but not other aspects of the commercial relationship between the parties.
The EDPB concludes “[a]s such, an important criterion to identify converging decisions in this context is whether the processing would not be possible without both parties’ participation in the purposes and means in the sense that the processing by each party is inseparable, i.e. inextricably linked.”
Finally, the Board turns to processors and stated:
A processor is defined in Article 4 (8) as a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Similar to the definition of controller, the definition of processor envisages a broad range of actors – it can be “a natural or legal person, public authority, agency or other body”. This means that there is in principle no limitation as to which type of actor might assume the role of a processor. It might be an organisation, but it might also be an individual.
It is interesting that the EDPB allows that a processor might be an individual, but that controllers are most likely organizations. Nevertheless, the EDPB stated that there can be multiple processors:
Processing of personal data can involve multiple processors. For example, a controller may itself choose to directly engage multiple processors, by involving different processors at separate stages of the processing (multiple processors). A controller might also decide to engage one processor, who in turn – with the authorisation of the controller – engages one or more other processors (“sub processor(s)”). The processing activity entrusted to the processor may be limited to a very specific task or context or may be more general and extended.
The Board reiterated that “[t]wo basic conditions for qualifying as processor are:
a) being a separate entity in relation to the controller and
b) processing personal data on the controller’s behalf.
Moreover, the facts of any given data processing must be examined closely, for an entity could be a processor in some circumstances and a controller in others. This consideration is pertinent in the case of a processor, for controllers that process personal data do not become processors as well. The opposite can be the case, however.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.