On 2 September 2020, the European Data Protection Board (“EDPB”) adopted its draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (“Guidelines”). The Guidelines, once adopted, will replace the Opinion 1/2010 adopted by the Article 29 Data Protection Working Party1 with the objective to provide updated guidance on the concepts of controller and processor and further clarify their different roles and responsibilities in the light of the General Data Protection Regulation (“GDPR”)2.
Reminder: how to determine the roles of controller and processor?
The roles of controller and processor are crucial since they determine who shall be responsible for complying with certain specific rules under the GDPR. However, those concepts are not always easy to ascertain in practice. The Guidelines intend to keep a consistent approach throughout the European Union on the circumstances to consider when identifying controllers and processors.
As a reminder, the controller is the person who determines the purposes and/or (essential) means of an identified personal data processing whereas the processor processes the personal data on behalf of the controller and under its instructions. Such roles are determined on a case-by-case basis against the factual background at hand (e.g. contractual relationships, competence conferred by law, traditional role and professional expertise).
Accordingly, the identification of an entity as a controller or a processor does not depend on that entity's nature but results from its concrete activities in relation to a specific personal data processing in a specific context. Therefore, the same entity may (and most of the time will) act at the same time as controller for specific processing and as processor for others within a given or related context. It also means that the contractual terms between the parties involved are not decisive in all circumstances since the assessment of the roles of the parties is a matter of fact. Similarly, not every service provider processing personal data in the course of delivering its services is a processor, even if that is explicitly stated in a contract between the service provider and its client.
What's new in the Guidelines?
Without being exhaustive here, the Guidelines specifically address and clarify the level of details to be provided in the processing agreement to be entered into between controllers and processors under Article 28.3 GDPR. In particular:
- it should not merely restate the provisions of the GDPR, but provide for specific and concrete information as to how the GDPR requirements will be met;
- it should include a list of authorised sub-processors, if any, together with the details of their processing activities, locations and implemented safeguards;
- any intended modification of the processing agreement must be expressly notified to and approved by the controller; the mere publication of such modifications on the processor's website does not comply with Article 28 of the GDPR;
- it is not required that the processing agreement between the processor and any subsequent processor includes provisions identical to those between the controller and the processor but similar obligations may be sufficient as appropriate according to the context; in the event that certain obligations cannot apply to the subsequent processor, such obligations should not be included by default in the contract.
The EDPB states again that processing agreements entered into between controllers and processors before 25 May 2018 must already have been updated to comply with the GDPR. The imbalance in contractual power between a controller and a processor cannot be a justification for the controller to accept contractual terms that are not GDPR-compliant.
This version of the Guidelines was subject to public consultations until 19 October 2020. After analysing the contributions received, the EBPD will adopt a final version of the Guidelines. Stay tuned!
1 Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169) adopted on 16 February 2010. The Article 29 Data Protection Working Party was succeeded by the EDPB on 25 May 2018.
2 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.