Global menu

Our global pages

Close

Speed read: Useful November 2019 guidelines on controller, processor and joint controllership concepts from the European Data Protection Supervisor

  • United Kingdom
  • Privacy, data protection and cybersecurity

06-12-2019

Summary

On 7 November 2019 the EDPS issued guidance on how to determine who is a controller, processor and joint controller. The EDPS is an independent supervisory authority whose primary objective is to ensure EU institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies. Whilst the guidelines relate to an EU Regulation which is only relevant to those EU institutions, the EDPS itself suggests external organisations may find the guidelines useful. We agree. Particularly in relation to joint controllership. The ICO already has checklists about roles on its website. Nevertheless the checklists in these EDPS guidelines are useful and they also contain helpful summaries of case law in this area.

Joint controllership is a topic frequently asked about as it tends to be less common than a relationship of two independent controllers. We recently commented on the Fashion ID case. In that decision the CJEU decided integrating the Facebook “like” plug in to a website resulted in joint controllership between the website operator and Facebook specifically in relation to the data collected and sent to Facebook.

What do the EDPS guidelines say about controllers?

- We all know GDPR defines a controller as the person who determines the purposes and means of processing of personal data.

- What does determine mean in this context? The EDPS confirms that this refers to the factual influence that the controller has over the processing operation. It recommends that organisations evaluate this by answering the questions ‘why is the processing taking place’, ‘who initiated the processing’ and ‘who benefits from the processing’.

- What does purposes and means signify? We have a useful reminder from the EDPS that the controller is the one deciding on the purpose (i.e. why) and the means to carry out the processing operation (i.e. how). It is not necessary for one party to equally determine both to be considered as a controller of the processing of personal data.

- The crucial question is to what level of detail a party should determine the purposes and means in order to be considered as controller. The controller is the entity that as a matter of fact decides the purpose (i.e. why). As for the means (i.e. how), the EDPS states that the controller is the entity that decides on the essential elements of the means such as the types of data to be processed, the period for which they are retained, from which data subjects the data is collected, who will have access to the data and who will receive it. There is a useful reminder from the EDPS that in their view, determination of the non-essential elements of such means of processing is less important to this evaluation. Their guidance confirms that a processor, while acting in the controller’s interest, may identify the non-essential elements of the means of a processing operation, such as what software to use to do the processing but without making itself a controller.

- If an organisation’s answers are yes to the majority of the statements on page 13 of the guidelines then the EDPS believes that this is likely to indicate a controller role for specific set of processing operations.

What do the EDPS guidelines say about processors?

- If an organisation’s answers are yes to the majority of the statements on page 20 of the guidelines then the EDPS believes that this is likely to indicate a processor role for specific set of processing operations.

What do the EDPS guidelines say about joint controllership?

- The concept of joint controllership is a bit of a mystery to some. When are one or more parties truly determining the purposes and the means of processing jointly? When does a situation of joint controllership occur and what are its decisive elements? The EDPS clarifies that it believes that the notion of joint determination should be understood as any situation where each controller has a chance/right to determine the purpose and essential elements of the means of a processing operation. In other words, the parties commonly determine (or converge on) the purpose and essential elements of the means to carry out a processing operation. This in itself is sufficient to trigger a situation of joint controllership according to the EDPS.

- It has been argued that not having access to personal data within the context of a processing operation is sufficient to exclude a situation of joint controllership. According to the EDPS it is not. The EDPS refers to CJEU case law. The fact that a party only has access to information which is anonymised does not influence the joint controllership situation. This can matter when determining the degree of responsibility of the parties involved but it does not preclude them from being joint controllers. They might well have jointly determined the purposes and essential means of the processing operation to begin with.

- Multiple controllers may interact in various operations of the processing without necessarily sharing all purposes and means. It can be difficult to distinguish between a situation of joint controllership and separate controllers. The EDPS suggest that if the parties involved do not jointly determine or converge on the same general objective (or purpose) or do not base their processing operations on jointly determined (essential elements of the) means, their relationship will likely be pointing to a situation of separate controllers.

- There is a useful reminder about the requirement to have a transparent arrangement between joint controllers and that joint controllers do not have to share their responsibilities equally.

- EDPS suggests in practice joint controllers might want to create specific procedures for using processors in the arrangement between themselves. Perhaps stipulating that if one party decides to engage a processor it should consult the other first.

- EDPS suggests the arrangement should cover the subject matter, duration, nature and purpose of the processing operations and refer to the categories of data subjects and personal data involved.

- These guidelines are not about Article 26 GDPR but that is the provision which requires (amongst others) that the essence of any joint controller arrangement to be made available to data subjects. Joint controllers have to decide which of them will take responsibility for responding to the exercise of GDPR rights in relation to the joint processing and who will provide the privacy notice. As one example, in our experience, trustees of Defined Benefit pension schemes tend to take the lead in issuing privacy notices for themselves and for scheme actuaries, and dealing with GDPR rights, in cases where there is joint controllership.

- On pages 28 and 29 of the guidelines there are useful checklists for what EU institutions should include in arrangements between joint controllers and there is a suggestion about what ‘making available the essence of the arrangement to data subjects’ means in practice. We suggest these checklists are useful in a much broader context, i.e. not only EU institutions will find them useful.

- Finally, there is a reminder for joint controlling organisations to define their roles and responsibilities in the arrangement between themselves, including cooperation obligations for dealing with data subject requests for exercise of rights and to keep in mind the data subject can always choose for himself/herself which joint controller to make contact with to exercise rights.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings