Have you ever struggled to pinpoint the roles, and subsequent responsibilities, of controllers, joint controllers and processors in the context of the GDPR? Have you found yourself in negotiations where it was discussed who acted in which role? Help is coming your way.
The European Data Protection Board (or EDPB), a body composed of – inter alia – representatives of EU national data protection authorities, has provided helpful guidance in that regard. Guidelines 07/2020 on the concepts of controller and processor in the GDPR (adopted on September 2, 2020 but more recently made available) offer clarifications on such respective roles.
Generally speaking, such GDPR roles have a functional nature and call for a factual rather than formal analysis.
- The controller can be any type of entity. It determines the purpose (the why) and the means (the how) of the data processing. Certain aspects of the processing may be determined by the processor, but they have to be “non-essential”.
- Joint controllers jointly participate to the determination of the purpose and means of processing, either through a common decision, or as a result of converging decisions. There is no joint controllership when different entities use a shared database or a common infrastructure, if each entity independently determines its own purposes.
- Data processors act on behalf of data controllers and must be separate entities from data controllers. Data processors must follow the instructions of the data controller, with a limited decree of discretion in their execution.
- The same entity may act, at the same time, as controller for certain processing operations and as processor for others: each data processing activity must be separately assessed.
Comments on the Guidelines can be sent to the EDPB until October 19.