On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.[1] The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA).[2] The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways:

  • A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case.
  • A controller determines the purposes and means of the processing (the why/how of the processing). It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller. The guidelines require that controllers must only use processors providing appropriate measures under the GDPR.
  • Joint controllership is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. The guidelines recommend that a legal form of joint controllership be arranged in the form of a binding document, such as a contract.
  • The guidelines state that an agreement between a controller and a processor should do more than just restate the provisions of the GDPR. An agreement should include specific, concrete information as to how processing will comply with the requirements of the GDPR.

The guidelines are still in draft form and were open for public consultation until October 19, 2020.[3] Expect a forthcoming detailed analysis of the guidelines upon their final release.

[1] Eur. Data Prot. Bd., Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Sept. 2, 2020), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf.

[2] Id.

[3] Id.