Are You A Controller or a Processor? Understanding the recent draft EDPB Guidance

On September 2, 2020, the European Data Protection Board (EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (“Guidelines”). The Guidelines provide a comprehensive understanding of the key roles under the European Union’s General Data Protection Regulation (GDPR”), and their corresponding responsibilities: (1) controller; (2) joint controller; (3) processor; and (4) third-parties. However, what is clear from the Guidelines is that the roles and responsibilities of an entity in the data transaction is determined more by the role that the entity plays in controlling the data rather than its contractual definition. These Guidelines are subject to public review until mid-October 2020. 

Defining the Role in the Data Transaction: 

Controllers: The concept of controller is essentially determined by the entity’s influence over the personal data processing. The Guidelines emphasize that this is a factual analysis that depends on the nature of the processing activities at issue, and not necessarily the nature of the entity itself. Guidelines at ¶ 24. Additionally, the Guidelines make clear that the entity’s defined role in a contract is not determinative. Guidelines at ¶ 26.The contract is an aspect or factor used to identify the party’s role under the GDPR, but it is not determinative. 

Joint Controllers: Using the language of the GDPR and opinions from the Court of Justice of the European Union (“ECJ”) the Guidelines also evaluate whether an entity is considered a joint controller. Again, the role is defined by the influence the entity has over the processing. Guidelines at ¶ 49.  It is important to note that the mere presence of two or more entities involved in personal data processing does not necessarily mean that those parties will be considered joint controllers. Guidelines at ¶ 67. 

Processors: The Guidelines highlight two key components to determining if an entity is a processor: (1) being a separate entity in relation to the controller; and (2) processing personal data on the controller’s behalf. Guidelines at ¶ 74. A controller who conducts processing on its own behalf is not both a processor and a controller; it is considered solely a controller. Guidelines at ¶ 76. Inherent in this analysis is whether or not the company is acting for its own purposes, or for the purposes of another controller. 

Third Party Recipient: The GDPR does recognize that there is a role played by a third-party; i.e., not a controller, processor, joint-controller or data subject. GDPR, Art. 4(10). This definition is a matter of point of view: “[a] recipient of personal data and a third party may well simultaneously be regarded as a controller or processor from other perspectives.” Guidelines at ¶ 83. 

A (Somewhat) New Twist

First, it is all about control, and detailed instructions. A key component of the distinction between controller, processor and joint-controller is the level of control over the processing. Guidelines at ¶ 28. Form contract provisions that are used by many organizations in their data processing agreements are likely not enough to provide the level of detail required to demonstrate the necessary control over the processing required to be designated as a controller. 

Second, a controller must be fully informed of all means used to process personal data, essential and non-essential. The Guidelines make clear that “the controller must be fully informed about the means that are used so that it can take an informed decision in this regard.” Guideline at ¶ 39. Negotiations over contractual provisions may prove more difficult in the future. Nearly every company is built (at least somewhat) on third-party providers, who consider themselves processors. However, during contract negotiations, these third-parties are unwilling, or outright refuse, to provide detailed information on their services, how those services are provided, and specific details on their security measures. This is especially true for small to medium-sized businesses that are contracting with massive technology companies. That leaves an open question: what does it mean to be fully informed

What does this mean for you?

The determination of your company’s role within a data transaction of the GDPR is not a simple analysis. It requires a deep understanding of the role your company plays in the data processing, identifying all of the relevant facts for that processing, and then tying those facts to the many criteria to determine if you are acting as a controller, joint controller, processor, or third-party. The first step is to understand the personal data impacted. Second, understand your role in the processing, and especially your influence or control over the purpose and means of processing. This is a transaction by transaction analysis. One company can play multiple different roles throughout the various data processes. 

The last thing you want is to be surprised. A company’s categorization under the GDPR is pivotal to understanding your responsibilities, obligations, and liability. And, while these guidelines are not yet adopted, they provide key insight into this very important topic. It is key to ensuring that you are compliant across all business units and data processing activities within your organization. Working across law, technology, and information governance is key to compiling the necessary information to ensure you are complying with your role under the GDPR. Contact our team today to help you to better understand your role under the GDPR, and prepare for your GDPR compliance! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.