Clarification: The concepts of controller and processor in GDPR
While it can feel that the GDPR is now sufficiently embedded in the way we all work, those working with data will know that the terms within it continue to sometimes less than clear cut. On 7th September 2020 the European Data Protection Board published some draft guidelines to help everyone understand the concepts of controller, joint controllers, processor, third party and recipient under the GDPR. The guidelines set out concrete examples for each term in a bid to help. The first part explains the different concepts while the second part sets out the main consequences. They also include a flow chart for added clarity. You can read the guidelines in full here.
We’ve summarised the guidelines here…
We don’t need to tell you that the concepts of controller and processor are crucial within GDPR. They determine who is responsible for compliance with which elements of the GDPR obligations and the ways in which individuals (“data subjects”) can exercise their data protection rights. Although these definitions haven’t actually materially changed since the previous EU data protection framework, the GDPR has introduced stronger and more detailed obligations for each role (particularly making processors directly liable for compliance). This is coupled with the recent Court of Justice of the European Union rulings, which clarified the concept of joint controllership and its implications. In short, things have moved on and guidance was needed to address the questions and to present a consistent message to those tasked with implementing the regulations.
The main points are as follows:
● Controller - This needs to be interpreted in a broad way, to ensure the full effect of EU data protection law. Controllers do not necessarily need to have access to personal data. But controllers must determine BOTH the purpose and the essential means of processing personal data (e.g. the type of personal data processed, the duration of the data processing, the categories of data recipients and the categories of data subjects). “Non-essential” means of the data processing can be left to the processor (e.g., the type of IT systems or other technical means to use for the data processing or the details of the security measures to be implemented based on the general security objectives set by the controller).
● Joint Controller - This implies the joint participation of two or more entities in determining the purpose AND means of the data processing activity. This can be a common decision or result from converging decisions. In our experience, true joint controllership is rare – much more likely is that you have 2 independent controllers who share personal data with each other but use it for their own purposes.
● Processor - While processors may not determining the purpose of the data processing (as we’ve already established that this MUST be done by the controller(s)) they may have a certain discretion about how to serve the controller’s interests. Processors can offer a primary defined service but the controller must make the final decision. Processors cannot, at a later stage, change the essential elements of the processing without approval from the controller.
● Controller/Processor Relationship - Controllers MUST only use processors that can guarantee to implement technical and organisational measures that will meet the requirements. Controllers need to assess these guarantees, taking into account expertise, understanding, reliability and resources. The data processing agreement that the controller and processor must execute (in accordance with Article 28 of the GDPR) must not simply restate the provisions of the GDPR but include specific information about how the requirements will be met in practice and the measures being taken. Importantly, the agreement should impose an obligation on the processor to obtain the controller’s approval before making any changes to the list of security measures and a regular review of those measures to allow the controller to assess their appropriateness. It should also set out the ways in which the processor will help the controller to meet its obligations and clarify the authorisation required, should the processor engage sub-processors.
● Relationship Between Joint Controllers - This relationship (and respective responsibilities for complying with the GDPR) must be agreed at the outset and in a clear, formal agreement. It needs to take into account who is best placed to comply with obligations and these obligations do not need to be equally distributed between joint controllers. This should cover not only the parties’ obligations to provide information notices and comply with data subject rights requests but also their other obligations as controllers under the GDPR, such as (1) the implementation of the GDPR fundamental data protection principles, (2) the obligation to have a proper legal basis for the data processing, (3) the implementation of data security measures, (4) the obligation to notify personal data breaches to the competent supervisory authority and affected data subjects, (5) the obligation to conduct data protection impact assessments where applicable, (6) the use of a processor, (7) the obligation to ensure compliance with the cross-border data transfer restrictions, and (8) the organisation of contact with data subjects and supervisory authorities. The “essence” of this arrangement must be made available to data subjects.
Whilst some of the above may seem to state the obvious, we have acted for a number of SaaS clients over the past 12 months who had always assumed (or been advised that) they are processors when in fact on closer analysis, they turn out to be controllers. Whilst this has increased their compliance obligations and meant some changes to existing terms and conditions, the benefit of this is that there freedom to use the personal data they handle through their platform has greatly increased and presented additional opportunities for revenue streams.
For advice on your obligations under GDPR please contact one of our specialists.