On 7 November 2019 the European Data Protection Supervisor published their guidelines on the concepts of controller, processor and joint controllership. While the EDPS is the supervising authority for EUI (European Union Institutions), whose data protection activities fall under Regulation 2018/1725 and not the GDPR, the document is of importance for every entity touched by personal data processing activities. It details (at some points in excruciating detail…) the concepts at the base of the data protection legislation in Europe.
This post highlights several important points to be considered when planning and executing a data protection compliance plan according to the GDPR.
– The definitions in Regulation 1725 and GDPR are slightly different in wording but essentially the same. The main point is that a controller is the entity that determines the purposes and means of the processing activity;
– Means can be “essential” or not. The controller determines (have decision making power and factual influence over) the essential means (start, end, types of data, data subjects, retention periods, purposes…). Non-essential means (e.g. hardware or software could be under others’ remit, a processor for instance.
– Means, as in the “why” and “how” of a processing refer to the de facto means, not those resulting from formal documents (this is an underlying approach of the GDPR as well)
– Interesting note: a controller could have no access whatsoever to personal data. It’s enough if the entity determines the purpose and essential means, or has the power to start and stop a processing activity. It can for instance receive anonymized statistics based on personal data collected and processed by a third party.
– Processing activities can be analysed at a lower granularity (specific activities) and only some of those could be under direct control. Controllers have a bit of leeway in determining the level of granularity – a useful guideline is to look at how the processing appears from the data subject’s point of view.
– In this case the definition is identical in 1725 and GDPR
– The presence of a processor depends exclusively on a decision taken by the controller. The controller is always the center of responsibility and accountability
– Controllers can assume a very diverse range of legal forms: individuals, legal persons, public bodies, agencies…
– Processors work on the controller’s interests (“on behalf of”). They carry out specific tasks following specific instructions
– It’s stressed again that the ultimante responsibility lies with the controller. Obligations of the processor should be contained in a legal act or binding arrangement
– Joint controllership arises when each controller determines purposes and (essential) means of the processing. These elements must be jointly decided. An agreement on this is sufficient for joint controllership. Unity of purpose is needed, and must agreed upon.
– Joint controllers should enter into a specific agreement agreed upon by all
– A clear allocation of responsibilities should be included in the agreement
– Compliance responsibilities and duties must be clearly defined (could be the case that they are not equally shared)
– The agreement should detail information security responsibilities
– The agreement should contain provisions for a single point of contact for data subjects, clear responsibilities for replying to requests and the exercise of subjects’ rights
– Joint controllers cooperate on DPIA when they are necessary