The European Data Protection Board’s (EDPD) “Guidelines 07/2020 on the concepts of controller and processor in the GDPR (General Data Protection Regulation No. 2016/679),” providing guidance on the concepts of data controller, joint controller and data processor, was first published on 2 September 2020. After a term of public consultation, the second version of the guidelines was published on 7 July 2021 (“Guidelines“). The English text of the Guidelines is available here.
What Do the Guidelines Say?
In the Guidelines, the EDPB first clarifies the concepts of data controller, joint controller and data processor, and further analyzes the main differences between the legal definitions.
The data controller is emphasized to be the entity deciding on certain key elements of and determining the purposes and means (“the why and how”) of the processing. It is further set out that more practical aspects of implementation (“non-essential means”) can be left to the processor and that it is not necessary for the data controller to actually have access to the data that is being processed.
As for joint participation, it is highlighted that joint controllership can be by a common decision taken by two or more entities or result from converging decisions by two or more entities where such decisions must complement each other and are necessary for the determination of the purposes and means of the processing. In other words, it has been clarified that, in joint controllership, the processing would not be possible without all data controllers’ participation.
The data processor is set out as the entity meeting two basic conditions: (i) being a separate entity in relation to the controller and processing personal data on the data controller’s behalf and (ii) limited with the data controller’s instructions. That being said, the processor, at its own discretion, may still choose the most suitable technical and organizational means for the processing on behalf of the data controller.
The EDPB further explains the consequences of attributing different roles between controllers and processors by providing case examples relating to the respective responsibilities. It is emphasized that the data controller must be the entity responsible for certain activities, such as disclosing a personal data breach and carrying out impact assessments, even if the processor is providing assistance in relation to those activities. In this context, the processor is set out to be required to assist the controller “where necessary and upon request.” On another note, implementing a contract or other legal documentation between the controller and the processor is also set out as a key requirement for determining the roles. In line with this, the joint controllers must also determine “who does what” and clearly allocate responsibilities.
A flowchart for applying the concepts of controller, processor and joint controllers in practice is also provided as an annex to the Guidelines.
The Guidelines provide clarification relating to the concepts of data controller, data processor and joint controllership by touching on the consequences of attributing different roles and setting out a flowchart to determine the specific roles. To that end, the Guidelines will contribute to creating uniformity in respect of the precise meanings of these terms in the European Economic Area and, accordingly, facilitate the determination of responsibility relating to GDPR-based data-processing activities. The Guidelines not only set an example for the interpretation of the relevant terms in scope of Personal Data Protection Law No.6698, but also sets forth rules of interpretation for Turkey resident data controllers or data processors which are subject to the GDPR or are engaged in activities with data controllers or data processors in the European Economic Area.