The European Data Protection Board (EDPB) has published draft guidelines on the concepts of controller and processor in the GDPR (Guidelines). They replace the previous guidelines on the concepts of controllers and processors which the Art. 29 Working Party, i.e., basically the EDPB's predecessor, had published in 2010. The Guidelines are open for public consultation until October 19, 2020, after which the final version will be issued.
In its comprehensive Guidelines (45 pages), the EDPB not only provides guidance on the concepts of controllers, processors and joint controllers, but also long-anticipated guidance on data processing agreements pursuant to Art. 28 GDPR. We have summarized the key aspects of the Guidelines below:
- The criteria leading to the qualification as a controller or a processor have remained unchanged considering the guidelines of the Art. 29 Working Party on controller and processor under the previous EU Data Protection Directive.
- For data processing agreements, it shall not be sufficient to recap the obligations in Art. 28 GDPR. Rather, the data processing agreement shall specify the obligations and the procedures between the controller and the processor to comply with those obligations. We, therefore, recommend reviewing any existing data processing agreements as well as templates and determining whether they should be updated in light of the Guidelines (at least once the Guidelines are final).
- The EDPB provides further guidance on the criteria leading to a joint controllership, in particular: (a) the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership, (b) joint responsibility does not necessarily imply equal responsibility of the various operators involved, and (c) joint controllership does not necessarily mean that entities need to have the same purpose, but that purposes which are closely linked or complementary may be sufficient.
- The Guidelines indicate that situations that so far have been qualified as a controller to processor relationship may now be qualified as joint controller relationships. Companies should consider whether certain controller-processor set-ups should be re-qualified and implemented as joint controller relationships, in particular in light of existing case law by the Court of Justice of the European Union relating to certain website tools and sharing of website user data and other explicit examples provided by the EDPB in the Guidelines.