On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
The concepts of controller, joint controller, and processor are critical under EU data protection law, as they define the roles and responsibilities of the parties. The Guidelines confirm the EU courts' broad interpretation of joint controllers and provide additional guidance regarding the contents of data processing agreements (DPA) between controllers and processors, as well as between joint controllers. Companies should consider reassessing their role and their data processing agreements in light of these Guidelines.
The Guidelines are open for public consultation until October 19, 2020. Companies are invited to submit their views and comments, which the EDPB will consider when preparing the final version of the Guidelines.
Background
The concepts of controller, processor, and joint controller were introduced under the Data Protection Directive in 1995 and EU regulators issued guidance on this topic in 2010. A controller is the entity who determines the purposes and means of the personal data processing (i.e., "how" and "why" the data is processed). A processor is a separate entity who acts on behalf of, and under the instructions of, the controller. A joint controller is an entity that jointly determines the purposes and means of processing data with another controller. The Guidelines update the prior guidance in light of the GDPR and case law of the European Court of Justice (ECJ).
EDPB Clarifies the Concepts of Controller, Processor, and Joint Controller
Controller and Processor
The Guidelines confirm the existing interpretation of the concepts of controller and processor and opine on a number of questions that are relevant for companies:
Joint Controllers
One of the key issues discussed in the EDPB guidelines is the concept of joint controllership, a topic the ECJ addressed in the FashionID case.
First, the EDPB confirms that there are two types of controller-to-controller relationships: joint controllers and separate controllers. The GDPR requires joint controllers to conclude a joint-controllership agreement with specific provisions, but this obligation does not apply to separate controllers. Not surprisingly, the Guidelines follow the ECJ's conclusion in the FashionID case that it is possible for two companies to be joint controllers only with respect to specific processing operations within a broader processing activity, and to remain separate controllers for the rest. In other words, two companies can be joint controllers for some stages of the processing for which they jointly determine the purposes and means, and separate controllers for preceding or subsequent operations in the chain.
Then, the EDPB clarifies that two (or several) companies are joint controllers if they determine the purposes and means of the processing jointly via either i) a common decision, or ii) two or more converging decisions (i.e., complementary decisions without which the processing cannot take place). Purposes are determined jointly when the decision(s) relate(s) to i) either the same purposes, or ii) to common, closely linked, or complementary purposes. This may be the case, for example, when there is a mutual benefit for both joint controllers arising from the same processing operation; in the Fashion ID case, the website operator embedding a social plug-in on its website to optimize publicity on the social network was considered a joint controller with the provider of the social plug-in because both parties have a benefit in the processing. However, the mere fact that a processor receives payment in exchange for its services does not make it a joint controller.
EDPB Calls for Detailed Data Processing Agreements
Controller-Processor DPA
Joint Controllers DPA
Under the GDPR, joint controllers must determine their respective responsibilities for compliance with the GDPR and document them in a contract (commonly referred to as an Article 26 agreement). Such a contract must set out "who does what."
While the GDPR provides that such an arrangement should determine responsibilities regarding the exercise of individuals' rights and GDPR notice obligations, the EDPB notes that this list is not exhaustive. The contract also should address other GDPR obligations, such as i) compliance with general data protection principles; ii) legal basis for the processing; iii) security measures; iv) data breach notifications; v) data protection impact assessments; vi) use of processors; and vii) third country transfers.
The EDPB also recommends specifying i) who will act as a contact point for individuals and regulators (although individuals and regulators can always choose to contact any of the joint controllers) and ii) general information on the joint processing, such as subject matter, purpose, type of personal data, and categories of individuals.
The Guidelines further provide that some obligations cannot be distributed among joint controllers and that each joint controller must individually comply with them (e.g., appointment of a data protection officer, records of processing activities, purpose limitation, and data security).
In addition, the GDPR requires joint controllers to make the "essence of the arrangement" available to individuals (i.e., to specify which joint controller is responsible for each obligation and the relevant point of contact). The Guidelines clarify that this can be achieved either by including these details in the applicable privacy policy, or by implementing a procedure whereby individuals can obtain this information upon request.
What Should Companies Do?
Companies involved in the same data processing activities should consider reassessing their role in light of these Guidelines, in particular whether they could be considered joint controllers. Where applicable, they should consider determining their respective GDPR obligations by means of an arrangement and communicate this to individuals. In addition, companies that are in a controller-to-processor relationship should consider updating their template DPA to include the recommendations of the EDPB. Impacted companies may consider submitting comments to the EDPB, as the Guidelines are open for public consultation until October 19, 2020.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will closely monitor developments related to this topic. For more information, please contact Cédric Burton, Jan Dhont, Laura De Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.
Laura Brodahl, Lore Leitner, Roberto Yunquera, and Rossana Fol contributed to the preparation of this alert.