Whether an organisation acts as a data controller, a joint controller or a data processor is of crucial importance for the application of the General Data Protection Regulation 2016/679 (GDPR), as this determines what obligations the respective organization has and what responsibilties it bears with regard to the processing of personal data. For this reason, on September 2, 2020 the European Data Protection Board (the EDPB) issued Guidelines on the interpretation of these concepts, providing clarifications and detailed guidance, throughout useful examples, in order to ensure consistent and harmonised approach within the European Union (EU) and the European Economic Area (EEA).
Data controller and data processor
Which entity determines the “essential” elements of the processing is of crucial importance for the distinction between the two concepts. To be considered a controller, one must determine the purposes and means of processing – “why” and “how” the data will be processed. Some non-essential aspects of the means of processing may be left to the discretion of the data processor. According to the EDPB, the “essential” aspects of the processing include the types of personal data processed, the duration of the processing, the categories of data recipients and the categories of data subjects.
Conversely, the data processor can decide only on “non-essential” aspects (e.g. the type of IT systems or other technical means to be used for the processing, or the security measures based on the security objectives specified by the controller).
The EDPB gives the following example:
Company A hires Company B to administer the payment of salaries to the employees of A . Company A provides clear instructions on who to pay, what amounts, by what date, to which bank, how long the data will be stored, what data should be disclosed to the tax authority, etc. In this case, the processing is carried out in order for Company A to pay salaries to its employees and Company B cannot use the data for any other purpose. The way in which Company B shall carry out the processing is strictly defined by Company A. Company B can only decide on the non-essential aspects of the processing – which software to use, how to distribute access to data within its own organisation, etc. as long as it does not go against or beyond the instructions given by Company A.
The EDPB gives another example:
Employer A hires hosting service H to store encrypted data on H’s servers. The hosting service H does not determine whether the data it hosts are personal data or not, nor does it process data in any other way than storing it on its servers. Storage falls under the definition of personal data processing activity, therefore the hosting service H processes personal data on behalf of employer A and qualifies as a processor. Employer A must provide to H the necessary instructions on how the processing shall be carried out including which technical and organisational measures shall be applied. These instructions shall be objectified in a data processing agreement concluded between the controller and the processor according to Article 28 GDPR. H must ensure that the necessary security measures are taken and notify A in case of any personal data breach.
Joint controllership is present when the purposes and means of the processing are determined by not one but two or more legal/ natural persons. To illustrate the dimensions of this type of data controllership in practice, the EDPB gives the following example:
A travel agency, a hotel chain and an airline decide to participate jointly in setting up an internet-based common platform for the common purpose of providing package travel deals. They agree on the essential means to be used, such as the categories of data which will be stored, the means throught which reservations will be allocated and confirmed, and the categories of persons who could have access to the stored information. Furthermore, they decide to share amongst them data of their respective customers in order to carry out joint marketing actions. In this case, the travel agency, the airline and the hotel chain, jointly determine why and how personal data of their customers are processed and will therefore be joint controllers with regard to the processing activities related to their common internet-based booking platform and joint marketing actions.
However, each of them would still retain sole control with regard to their respective processing activities outside the internet based common platform.
Another example provided by the EDPB to distinguish the concept of joint controller from the concepts of controller and processor involves the case of clinical trials:
A health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with a common purpose. They collaborate in the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.). For the purposes of this clinical trial the investigator and the sponsor are considered joint controllers as they jointly determine the purpose and the essential means of the processing.
The collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller.
In the event that the investigator does not participate to the drafting of the protocol (it just accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the investigator should be considered as a processor and the sponsor – as the controller for this clinical trial.
The EDPB also gives an example involving provision of personal data by an employer to the tax authorities, in which case no joint controllership is considered to take place:
The company collects and processes personal data of its employees in order to manage salaries, health insurance, etc. The company is required, under the applicable legislation, to send all data on salaries to the tax authorities in order to comply with fiscal regulations.
In this case, although the company and the tax authorities process the same data concerning salaries, the lack of jointly determined purposes and means with regard to this data processing will result in qualifying the two entities as two separate data controllers.
In an annex to the Guidelines, the EDPB provides infographics with practical questions to help organizations assess whether they process personal data as controllers, joint controllers or processors.
The Guidelines are available here.