Happy Data Privacy Day!
Many companies are still struggling with some basic concepts of the General Data Protection Regulation, such as “controller,” “processor” and “transfer” of personal data. The European Data Protection Board (EDPB) has tried to shed some light on these concepts in its guidelines on the concepts of controller and processor and its draft guidelines on data transfers.
This blog post summarizes the key elements of the concepts of controller, joint controller, processor and data transfer. The legal status of controller, joint controller or processor of a company results from an analysis of the factual elements or circumstances of the case. The concept of data transfer is particularly relevant for companies which, although they aren’t established in the European Economic Area (EEA), fall under the territorial scope of the GDPR.
As a reminder, the GDPR also applies to companies that don’t have an establishment in the European Union, but do target data subjects in the EU.
#1: What makes your company a controller under the GDPR?
The controller determines the purposes of the processing of the relevant personal data (i.e., why the processing is taking place) and the means of such processing (i.e., how this objective should be reached). While the decisions on the purposes are always left to the controller, a distinction exists regarding the means:
- “Essential means” must be determined by the controller, as they are closely related to the purpose of the processing. They may consist of, among others, the determination of which data will be processed or for how long the data will be processed and retained.
- “Non-essential means” can be decided by the processor. They concern more practical aspects of the implementation, such as the choice for hardware or software.
The EDPB provides examples of companies that are typically considered as controllers in the context of their core activities: sponsors of clinical trials, law firms representing companies in a dispute, travel agencies issuing travel documents for their customers, etc.
- Access to data is not a prerequisite for a party to qualify as a controller.
- The allocation of the roles as controller or processor is not negotiable.
- Both the controller and the processor are responsible for ensuring that data processing terms have been entered into.
- The controller’s risk assessment performed to choose a processor needs to consider the processor’s knowledge, reliability, resources and reputation in the market.
#2: What makes your company a joint controller under the GDPR?
Joint controllership results from joint participation in the determination of the purposes and means of a processing operation. Such participation can take the form of common decisions made by two or more entities or can result from the allocation of decisions to each party. An important criterion is that the processing wouldn’t be possible without both parties’ participation, in the sense that the processing by each party is inseparable (i.e., inextricably linked).
As a matter of example, the Court of Justice of the EU has identified the existence of joint controllership in the following scenarios.
- The website operator and a provider of a social plug-in, where the social plug-in is embedded on the website to optimize the publicity of goods by making them more visible on the social network.
- The administrator of a fan page and social media platform, where the processing of a visitor’s personal data through statistics enables:
- The social media platform to improve its system of advertising.
- The administrator of the fan page to obtain statistics for the promotion of page activity.
- The existence of a mutual benefit (e.g., commercial) arising from a processing activity does not necessarily give rise to joint controllership.
- The arrangement between joint controllers must organize the responsibilities of the joint controllers related to all relevant GDPR obligations, including how they will communicate with the competent supervisory authorities regarding data protection impact assessments, notification of personal data breaches and the designation of a data protection officer.
- The obligations do not need to be equally distributed, although each controller remains responsible for its personal obligation (e.g., to have a legal basis for the processing).
#3: What makes your company a processor under the GDPR?
The processor processes personal data on behalf of the controller, in accordance with its instructions. Companies typically acting as processors can be cloud service providers or providers of call centers that help clients answer their customers’ questions.
The same company will generally act at the same time as a processor for certain processing operations (e.g., processing operations related to the services provided to the data controller) and as a controller for other processing operations (e.g., payroll administration to its employees). However, if the processor starts using the entrusted personal data for its own purposes, it becomes a controller of such personal data.
- It is possible for the processor to suggest elements that, if accepted by the controller, become part of the instructions given without being considered to be a controller.
- The data processing agreement between the controller and the processor must be specific to the processing activity, and not simply restate the provisions of the GDPR.
- In June 2021, the European Commission adopted a set of standard contractual clauses for controllers and processors to fulfill the requirements for their data processing terms.
#4: What processing activity constitutes a data transfer?
The GDPR doesn’t provide a legal definition for a “transfer.” However, on November 18, 2021, the EDPB published its draft guidelines on data transfers titled “Guidelines 05/2021 on the Interplay Between the Application of Article 3 and the Provisions on International Transfers as Per Chapter V of the GDPR.” Although they are still under public consultation, the guidelines constitute the EDPB’s first attempt to delineate the scope of this concept.
According to the draft guidelines, a “transfer implies that personal data are sent or made available by a controller or processor (exporter) which, regarding the given processing, is subject to the GDPR pursuant to Article 3, to a different controller or processor (importer) in a third country, regardless of whether or not the importer is subject to the GDPR in respect of the given processing.”
The draft guidelines also provide examples of processing operations that would qualify as a data transfer in the sense of the GDPR.
- A transfer exists if a processor in the EEA processes the data received from a controller outside the EEA and sends this data back to that controller. Even if the controller outside the EEA is subject to the GDPR (based on Article 3.2), this sending back of personal data will constitute a transfer.
- A transfer does not exist if a controller outside the EEA collects data directly from a data subject in the EEA who has passed the data to the controller via an online form.
Where a processing constitutes a transfer, controllers and processors need to comply with the conditions of Chapter V GDPR and frame their transfers by using the appropriate instruments, including the new standard contractual clauses. (For more information, refer to our blog post about SCCs.)
- Less protection and fewer safeguards are needed for transfers to controllers or processors who are based outside the EEA but still subject to the GDPR, per Article 3.2.
- For such transfers, the European Commission will develop a new set of standard contractual clauses, in addition to the existing ones.
- Even where processing does not constitute a transfer, a controller is nonetheless accountable to address the risks as necessary for such processing to be lawful under the GDPR.