Recently, the European Data Protection Board (the “EDPB”) adopted, as a version for public consultation, the Guidelines on the concepts of controller and processor in the GDPR (the “Guidelines”). The new Guidelines consist of two main parts: (i) one explaining the relevant concepts and (ii) the other providing guidance on the main consequences of assigning the different roles (i.e. controllers, processors, joint controllers and third parties/recipients). Given the crucial role of these concepts within the application of the General Data Protection Regulation 2016/679 (the “GDPR”), the Guidelines aims to bring clarity to these concepts and to provide details on their related responsibilities.
In particular, the Guidelines provide practical examples and factors that have to be considered when making the parties’ qualification, out of which we highlight the main ideas below:
- Law firms – When representing the clients in a dispute law firms should be considered controllers. The EDPB makes this qualification based on the fact that the law firms act with a significant degree of independence when deciding which personal data to use and how to use it and that there are no instructions from the client on how to process the personal data.
- Market research providers – When a company outsources a processing activity and has a determinative influence on the purpose and the means of the processing, it should be considered a controller, even though it will never have actual access to the data. The Guidelines provide as an example the case of a company that wants to identify consumer trends and instructs a service provider on what type of information it is interested in, providing a list of things to ask those participating in the market research. EDPB considers that, even if the company receives only statistical information from the provider, it should be considered a controller and the provider its processor.
- Marketing operation – Two companies which intend to launch a co-branded product and organize an event to promote it should be regarded as joint controllers if (i) they decide to share data from their respective clients and decide together on the list of invitees to the event and if (ii) they also agree on how the invitations will be sent and how to collect feedback.
- General IT support vs IT consultants fixing a software bug – An IT services provider which performs general IT support for a company should be considered a processor, since even though its access to personal data is not the main object of the support service, it is inevitable that it will have access to personal data when performing the service. On the other hand, when an IT services provider is hired to fix a specific problem, such as fixing a software bug, the provider is not hired to process personal data and the access to personal data should be purely incidental and therefore very limited in practice. In this latter case, the IT provider should be regarded as third party.
- Cloud service providers – A cloud service provider should be considered a processor since the clients give instructions on what personal data to store, storage periods, deletion of data etc.
- Cleaning services providers – When a company engages a cleaning services provider to clean its offices, the EDPB considers that the latter should be regarded as a third party, since there is no intention to engage the provider to process personal data and that it can carry out the tasks without accessing the data. In this case, the Guidelines underline that the client company, as a controller, must make sure that there are adequate security measures to prevent the provider from having access to data and also lay down a confidentiality duty in case the provider accidentally comes across personal data.
The Guidelines also provide a detailed description of the information that should be included in (i) the data processing agreements concluded with processors (the “DPAs”) and (ii) in the arrangements concluded between joint controllers. Among the most important provisions to be included in these documents, as indicated by EDPB, we mention the following, which come to supplement or detail the elements that need to be included according to articles 26 and 28 of the GDPR:
- The DPA
- should include information as to the security measures to be adopted and an obligation on the processor to obtain the controller’s approval before making changes regarding the security measures;
- a specific time frame for notifying the controller (g. number of hours) in case a personal data breach occurs and the point of contact for such notifications;
- the possibility of the controller to change its choice regarding the deletion or the return of personal data made before the end of the provision of services related to the processing;
- details on how often and how the flow of information between the processor and the controller should take place, so that the controller is fully informed as to the details of the processing;
- to obligation to provide information on the sub-processors which to enable the controller to decide whether to authorize the engagement of the respective sub-processor, such as information on the sub-processor’s locations, what they will be doing and proof of what safeguards have been implemented.
The Guidelines also provide details on how the elements mentioned at article 28.3 of the GDPR should be reflected in the DPA (respectively the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects).
2. The arrangements concluded between joint controllers – the Guidelines recommend that these arrangements should be shaped as a binding document such as a contract.
In addition to the obligations specifically referred in article 26 of the GDPR (i.e. duties related to data subjects’ rights, information obligations and point of contact) the following responsibilities could be included:
- how implementation of general data protection principles will be done;
- who ensures the formalities for the legal basis of the processing;
- how security measures should be implemented;
- who is in charge of notifications of personal data breaches to the supervisory authority and to the data subjects;
- obligations related to conducting the data protection impact assessments;
- the use of a processor;
- transfers of data to third countries.
- organization of contact with data subjects and supervisory authorities.
The Guidelines are open for public consultation until 19 October 2020.