Europe: Guidelines on the concepts of controller and processor in the GDPR

In brief

The European Data Protection Board ("EDPB") has published draft guidelines on the concepts of controller and processor in the GDPR ("Guidelines"). They replace the previous guidelines on the concepts of controllers and processors which the Art. 29 Working Party, i.e. basically the EDPB's predecessor, had published in 2010. The Guidelines are open for public consultation until October 19, 2020, after which the final version will be issued.

In its comprehensive Guidelines (45 pages), the EDPB not only provides guidance on the concepts of controllers, processors and joint controllers, but also long-anticipated guidance on data processing agreements pursuant to Art. 28 GDPR. We have summarized the key aspects of the Guidelines below:
 


Contents

Summary

  • The criteria leading to the qualification as a controller or a processor have remained unchanged considering the guidelines of the Art. 29 Working Party on controller and processor under the previous EU Data Protection Directive. 
  • For data processing agreements, it shall not be sufficient to recap the obligations in Art. 28 GDPR. Rather, the data processing agreement shall specify the obligations and the procedures between the controller and the processor to comply with those obligations. We, therefore, recommend reviewing any existing data processing agreements as well as templates and determining whether they should be updated in light of the Guidelines (at least once the Guidelines are final).
  • The EDPB provides further guidance on the criteria leading to a joint controllership, in particular: (a) the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership, (b) joint responsibility does not necessarily imply equal responsibility of the various operators involved, and (c) joint controllership does not necessarily mean that entities need to have the same purpose, but that purposes which are closely linked or complementary may be sufficient. 
  • The Guidelines indicate that situations that so far have been qualified as a controller to processor relationship may now be qualified as joint controller relationships. Companies should consider whether certain controller-processor set-ups should be re-qualified and implemented as joint controller relationships, in particular in light of existing case law by the Court of Justice of the European 
  •  Union relating to certain website tools and sharing of website user data and other explicit examples provided by the EDPB in the Guidelines.

 Cilck here to access the full alert.


© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.