EU: New Guidelines on the concepts of controller, processor and joint controllership

On 7 November, the European Data Protection Supervisor issued a set of guidelines that could be used by organisations to determine whether they act as controller, processor or joint controller. The Guidelines also contain easy-to-use checklists as well as a flowchart.

On 7 November, the European Data Protection Supervisor (“the EDPS”) issued a set of guidelines (“the Guidelines”) to assist EU institutions and bodies (“the EUIs”) in complying with the provisions of the Regulation (EU) 2018/1725 (“the Regulation 2018/1725”). Although the EDPS’ authority is limited to the EUIs, the Guidelines will be useful for all businesses that need to determine whether they act as controller, processor or joint controller under the EU General Data Protection Regulation.

The EDPS

The EDPS is an independent supervisory authority, with a mandate to ensure that European Union institutions and bodies comply with data protection laws when they process personal data. It is unrelated to the European Data Protection Board, comprised of representatives from the EU member states’ data protection supervisory. Regulation 2018/1725 lays down data protection obligations for EU institutions and bodies when they process personal data. The Regulation is independent of, but largely similar to, the GDPR.

The Guidelines

The Guidelines thoroughly analyse the concepts of “controller”, “processor” and “joint controllership”; focus on the criteria that can be used by the EUIs in order to correctly determine whether they act as a controller, processor or joint controller; and include simple yet useful checklists. Moreover, the Guidelines describe the obligations and responsibilities of the EUIs when processing personal data, whether as controller, processor or, as the case may be, joint controller.  Although the Guidelines suggest topics to be included in joint controller agreements, they do not provide specific drafting; nor do they provide guidance for safeguards applicable to transfers outside EU/EEA. Both points will be subject to separate guidance issued by the EDPS.

Clarification of “controller” and “processor” concepts

The Guidelines reiterate many of the recommendations issued by the Article 29 Working Party in its Opinion 1/2010 on the concepts of “controller” and “processor”, and the holdings of well-established European case-law. They do provide however some important clarifications, as well as very specific, sector-oriented examples in order for the EUIs to correctly determine their role when processing personal data.

As such, the Guidelines clearly state that only a controller can determine the purpose of the processing of personal data. Further, only a controller can determine the essential means of the processing of personal data. However, it is possible for a processor to determine the non-essential means of the processing of personal data. In short, a controller will always determine the purpose and (at least) the essential means of the processing of personal data.

Another important clarification provided in the Guidelines is that an entity will still be qualified as a controller even if the entity does not have any access to the personal data processed on its behalf, as long as that entity determines the purpose and the means of processing, has influence on the processing by causing the processing of personal data to start (and, consequently, stop), or receives anonymous statistics based on personal data collected and processed by another entity. While this was already common practice of certain European data protection authorities and a position upheld by the Court of Justice of the European Union (See notably Case C-210/6, Wirtschaftsakademie Schleswig-Holstein), it is now confirmed by the EDPS, especially in the context of the controller / processor distinction.

The same clarification applies when processing personal data under joint controllership; it is not necessary for both controllers to have access to personal data in order for them to be qualified as joint controllers.

And while the Guidelines do not fundamentally change the approach in assessing the roles of controller and processor, they do seem to allow for more independence in the role of processor practice. The Guidelines state that the processor is not necessarily a mere “subordinate” and may still enjoy a considerable degree of autonomy when acting on behalf of the controller. The controller does not need to impose all the modalities of processing on the processor, and the processor may advise or propose certain processes. However, the controller must make the final decision on such processes. In the end, it remains to be seen from the practice of the EU authorities whether this is a reiteration of the idea espoused by the Article 29 Working Party that a processor may enjoy a certain level of independence when processing data, with the controller retaining the general control, or whether the authorities will adopt a more permissive concept of “processor” .

Practical considerations

While it is clear that the Guidelines were issued in order to assist EUIs in terms of complying with the obligations set by Regulation 2018/1725, the Guidelines are worth consulting by all businesses, given that, as concerns the distinction between the roles of controllers and processors, as well related obligations, the Regulation 2018/1725 follows the same principles as provided by the General Data Protection Regulation (“the GDPR”).

So, be aware:

  1. Only a controller can determine the purpose and the essential means of the processing of personal data. However, the processor is not necessarily a mere “subordinate” and may still enjoy a considerable degree of autonomy deciding on the means when acting on behalf of the controller
  2. You may still be qualified as a controller even if you do not have any access to the personal data processed on your behalf. In case of joint controllership, it is not necessary for both controllers to have access to personal data in order for them to be qualified as joint controllers.

For further information, please contact the authors of this article (Stefan Panic, Flavius Florea, Patrick Van Eecke and Carol Umhoefer) or your usual DLA Piper Data Protection contact.