On November 7, 2019, the European Data Protection Supervisor (EDPS) [i] issued the Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Guidelines”). As a background, Regulation (EU) 2018/1725[ii] (“Regulation”) applies to the processing of personal data by the Union institutions, bodies, offices and agencies.
The Guidelines aim at providing the European Union Institutions (EUIs)
practical advice and instructions to EUIs to comply with Regulation 2018/1725 by providing specific guidance on the concepts of controller, processor and joint controllership based on the definitions provided in the Regulation. Guidelines at 2. [iii]
The EDPB points out that external organizations might find Guidelines useful, too.
Similar to the definition of “controller” in Article 4(7) of the GDPR, Article 3(8) of the Regulation defines a
‘controller’ as “(…) the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law” Emphasis added.
The element of “determination” of purposes and means is the “factual influence that the controller has over the processing operation, by virtue of an exercise of decision-making power” Guidelines at 7. To determine whether it is the case in practice “the entirety of the factual elements should be evaluated, by answering the questions ‘why is the processing taking place’, ‘who initiated the processing’ and ‘who benefits from the processing’. Id. Emphasis added.
The “control” can derive from 1) “explicit legal competence,[iv] i.e. “when the EU legislator has explicitly designated the controller in a specific EU legal act” (Guidelines at 8) or 2) from “implicit competence”, i.e. while the law does not identify the controller “if a party is assigned a specific task that requires it to carry out certain duties that imply the processing of personal data, the role of controller would ultimately result from such tasks and duties assigned to that party.” Id. More rarely the role of “controller” does not derive from explicit or implicit competence assigned by law and needs be established “by assessing the factual circumstances in which the entity operates in the context of a specific processing operation”. Id.
What does it mean that the “controller’ determines “purposes and means of the processing operation”? It means the controller is the one identifying the ‘why’ and the ‘how’ of a processing operation. Guidelines at 9. Significantly, the EDPS explains that “although purposes and means are linked, it is not necessary for a party to equally determine both to be considered as a controller”. This depends “on the specific context” of the processing. Which is the “level of detail” of the determination? Id.
Certainly, “a controller is the entity that de facto decides on the purpose (‘why’) of a processing operation” which is equivalent to ask the “what for” a processing is performed. Id.
As for the means (“technical and organisational measures that are put in place when carrying out a specific processing operation”. id.), the controller needs to decide the “essential elements of the means”[v] (i.e. type of data, retention period, data subjects, access to data) to be a controller. Instead, the “more practical aspects of the processing operation(s), the so called ‘non-essential elements of the means’”. (e.g., hardware or software to be used or the technical security measures) can be determined by a processor on general instructions of the controller.
The EDPS specifies that “An entity does not need to have access to personal data to be considered a controller.” Guidelines at 10. It is sufficient to determine the purposes and means of processing, to have influence on the processing by causing it to start or to stop or to receive anonymous statistics based on data. Id.
The determination of purpose and means can be “alone or jointly with others” (see joint controllership). Guidelines at 11.
Article 3(3) of the Regulation defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data (…)” so that “each action (collection, storage, analysis, disclosure etc.) is a distinct processing operation”, but practically “processing operations are grouped in sets of processing operations that serve a defined purpose” and controllers have a certain discretion in defining the boundaries of these sets. “As a rule of thumb, controllers should look at it from the data subjects’ perspective”. Id.
The Guidelines also discuss the obligations and liability of controllers. Guidelines at 12. As for obligations, controllers are “under a general obligation to demonstrate compliance with the Regulation” (this is the accountability principle) and have the primary responsibility for ensuring compliance. Id. Article 26(1) requires controllers to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. This includes “the implementation of appropriate data protection policies by the controller”. Article 26(2). Id.
As for liability, Article 65 of the Regulation is different from Article 82 of the GDPR: instead of specifically providing for liability of the controller (or processor) in case of non-compliance, it states that
[A]ny person who has suffered material or nonmaterial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the Union institution or body for the damage suffered, subject to the conditions provided by the Treaties. Id.[vi]
Finally, the Guidelines remind the EUIs that it is the controller’s responsibility to ensure that data subjects can exercise the rights. Regulation (Articles 4(2) and 14(1) and 14 (2)), even if another entity is appointed as a point of contact. Guidelines at 13.
The Guidelines give a helpful checklist ton help identify who is the controllers “If the majority of the responses to the statements is YES, your EUI is likely to be a controller”. Id.
|You have decided to process personal data or caused that another entity processes it.|
|You decided what purpose or outcome the processing operation needs to have.|
|You decided on the essential elements of the processing operation, i.e. what personal data should be collected, about which individuals, the data retention period, who has access to the data, recipients etc.|
|The data subjects of your processing operations are your employees.|
|You exercise professional judgement in the processing of the personal data.|
|You have a direct relationship with the data subjects|
|You have autonomy and independence (within the tasks assigned to you as a public institution) as to how the personal data is processed.|
|You have appointed a processor to carry out processing activities on your behalf, even if the entity chosen for that purpose implements specific technical and organisational means (non-essential elements)|
Like Article 4(8) of the GDPR, Article 3(12) of the Regulation defines a ‘processor’ as “(…) a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.[vii] Whether a processor exists in the first place, depends on a decision taken by the controller “who may decide to perform certain processing operations itself or delegate all or part of the processing to a processor.” Guidelines at 15. “The primary duty of compliance stands with the controller.” Guidelines at 16
The EDPS makes clear that “[t]he essence of the role of a ‘processor’ is that personal data is processed on behalf of the data controller.” Guidelines at 16. But what does it mean?
[T]he processor has an implementing role. In other words, ‘acting on behalf of the controller’ signifies that the processor is serving the controller’s interest in carrying out a specific task and that it is thus following the instructions set out by the controller, at least with regards to the purpose and the essential elements of the means. Id. Emphasis added
However, the processor is not a “subordinate” of the controller; in fact, the processor “may enjoy a considerable degree of autonomy in providing its services and may identify the non-essential elements of the processing operation.” Id. Emphasis added.
The controller does not impose the entire modalities but “[it]t is up to the two parties involved to agree on the acceptance of the established procedures and on the roles and modalities”. In fact, processors “may advise or propose certain measures (in particular in its field of expertise)” but the final decision on “whether to accept such advice or proposal” is for the controller. Id. Emphasis added.
A processor can become a controller (or a joint controller) “by acting “beyond the mandate by infringing the contract or another legal act or making decisions about the purpose and the essential elements of the means of a specific processing operation” Id. Whether a breach of instructions means that a processor should automatically be classified as controller “would depend inter alia on the scope of the deviation” Id.
Controller have certain obligations with regards to the choice of processors: “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the data subject”. Article 29(1) of the Regulation. Guidelines at 18. Emphasis added.
As a consequence, the controller must assess if the guarantees offered by the processor are sufficient; pursuant to the accountability principle, the controller must “be able to prove it has taken all of the elements provided in the Regulation into serious consideration.” Id.
How should that assessment be done? Controllers may take into account 1) processor’s “adequate documentation proving …compliance, such as privacy policies, records management policies, information security policies, external audit reports, certifications etc.” Id. 2) processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), 3) reliability and 4) resources.
Only if the controller can demonstrate that the processor is suitable, it can then enter into an arrangement that meets the requirements of Article 29 of the Regulation. Id.
However, the EDPS specifies that even if controller has determined that processor is suitable, the controller must still “regularly check on the processor’s compliance and measures in use”. Id. Emphasis added.
Lastly, the EDPS recommends that “[b]efore outsourcing the processing … the controller should conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations.” Id. Emphasis added
The EDPS gives the following checklist for the choice of processors by EUIs:
|· Only use processors providing sufficient guarantees to implement appropriate technical and organisational measures that the processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subjects.|
|· Ensure that the processor does not further outsource/subcontract without the controller’s prior written authorisation;|
|· Make sure that the processor keeps the controller informed of any changes, giving the opportunity to object;|
|· Sign a written contract or another (binding) legal arrangement with the processor with specific data protection clauses;|
|· Ensure that the same contractual obligations are passed on to any subcontractor chosen;|
|· In case of processors subject to the GDPR, that these provide for GDPR compliance as one of the elements to be used to demonstrate sufficient guarantees|
Guidelines at 18
In sum, the controller must enter “into a binding agreement with the processor, who must comply with the same obligations set out in the Regulation and the GDPR.” Guidelines at 18.[viii]
In addition to its own obligations, a processor 1) “must only process personal data on the documented instructions of the controller, unless required to do so by Union or Member State law.” Id. 2) Must “assist the controller”:
- with the controller’s obligation to guarantee the rights of data subjects[ix] and;
- to fulfil the controller’s obligations pursuant to Articles 33-41 of the Regulation (security and data breach notification, data protection impact assessment and prior consultation, confidentiality of electronic communications, information and consultation of EDPS).” Guidelines at 19
As for the liability of the processors, while “[c]ompared to the previous data protection legal framework, the Regulation (Recitals 45, 50 and Article 29) strengthens the responsibilities of the processor. … Article 29 of the Regulation seems to suggest that the processor’s liability remains more limited in scope compared to the controller’s liability” Id.
So when is the processor liable? 1) “when it has acted outside the mandate given by the controller, or if it has not complied with its own obligations under the Regulation.” 2) “The processor can be held entirely or partially liable for the ‘part’ of the processing operation in which it is involved.”; 3) “It may be held fully liable only when it is entirely responsible for the incurred damage.” Guidelines at 20.
Can a processor following specific instructions be held liable for following such instructions? The EDPS said no, if it does not go beyond instructions.[x] The EDPS specifiers, however, that “where the controller is an EUI and the processor an external actor, the latter will fall both under the Regulation … and the GDPR (for its internal organisation and compliance requirements).” Id.
Let’s not forget, on the other hand, that,
in line with Article 29(1) of the Regulation, vis-à-vis the data subject, the controller carries the main responsibility for the processing operation and may be held liable for damages. However, the data subject may still hold the processor liable if it has specific reasons to believe the infringement, which resulted in damage to him or her, was made by the processor. Id.
The Guidelines give a helpful checklist to help identify processors. “If the majority of the responses to the statements is YES, your EUI is likely to be a processor” Guidelines at 20.
|You follow instructions from another party with regard to the processing of personal data.|
|You do not decide to collect personal data from individuals|
|You do not decide on the legal basis for the collection and use of that data|
|You do not decide the purpose or purposes for which the data will be used.|
|You do not decide whether to disclose the data, or to whom|
|You do not decide the data retention period.|
|You make certain decisions on how data is processed, but implement such decisions under a contract or another legal act or binding arrangement with the controller|
|You are not interested in the end result of the processing|
3. ‘Joint controllership’
If more actors share the controller’s responsibilities, then you have joint-controllers.[xi] Same situation as described in Article 26 of the GDPR.
Article 28(1) of the Regulation provides that [w]here two or more controllers or one or more controllers together with one or more controllers other than Union institutions and bodies jointly determine the purposes and means of the processing, they shall be jointly controller Guidelines at 22. Emphasis added.
When does this in practice occur which are its decisive elements?
First, pursuant to Article 28(1), a situation of joint controllership may happen between two or more controllers in EUIs or between an EUI and an external actor (such as an external provider of a management portal or a national public authority etc.).” In fact, “a situation of joint controllership can indeed occur between an EUI and one or more external actors bound by GDPR. In this case, the obligations stemming from Article 28 of the Regulation fully apply.” Guidelines at 22. However, the EDPS specifies that private companies should better be processors because, by being a controller, the private party exercises inappropriate influence in the processing. Id.[xii]
Second, “the notion of joint determination should be understood as any situation where each controller has a chance/right to determine purposes and essential elements of the means of a processing operation.” Guidelines at 23. When two or more parties enter into an agreement for processing and “commonly determine (or converge on) the purpose and essential elements of the means to carry out processing”, this, in itself, triggers a situation of joint controllership”. Id.
Thirdly, “both the purposes and (the essential elements of) the means of the processing operation need to be determined.” Guidelines at 23. A ‘general level of complementarity and unity of purpose” could be enough to trigger joint controllership, “if the purposes and (essential elements of the) means of the processing operation are jointly determined”.[xiii] Id. The EDPS points out that lack of access to data of one of the joint controllers is not sufficient to exclude joint controllership (id.) but may impact on “the degree of responsibility”. Guidelines at 24.[xiv]
Fourth, how do you distinguish joint controllership from a situation in which two controllers act separately (but may interact in various operations of the processing)? “[I]f the parties involved do not jointly determine or converge on the same general objective (or purpose) or do not base their processing operations on jointly determined (essential elements of the) means, their relationship seems to be pointing to a ‘separate controllership’ situation. Id.
The EDPS gives some interesting examples. Guidelines 24-26.[xv]
What are the obligations of joint controllers? While Article 28(1) of the Regulation is broad,[xvi] the EDPS takes a data subject-focused perspective relying on recital 50 of the Regulation[xvii] and on Article 28’s mentioning of subjects’ rights, the right to information and the possibility for joint controllers to establish a single contact point. Guidelines at 26.
As for the responsibilities, it is paramount “to define the responsibilities for compliance with data protection obligations” (id) and therefore “to clearly identify and define their respective responsibilities for specific obligations” (id) but “the Regulation does not oblige joint controllers to share their responsibilities equally.” Id.
In Case C-210/16 Wirtschaftsakademie (para. 43) the ECJ held that joint controllers “may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility … must be assessed with regard to all the relevant circumstances” Id. the joint controllers must “assess their roles and responsibilities taking into account the different stages in which they operate.” Guidelines at 27. Because “a clear allocation of responsibilities may not always be immediately apparent … it is necessary to carry out a case-by-case assessment in order to identify the obligations incumbent on each and every joint controller.”. Id. The allocation must be done sensibly: for example, if a joint controller interacts with data subjects and the other does not, the responsibilities for informing data subjects and dealing with requests is better assigned to the former. Guidelines at 27.
Could a joint controller hire a processor? Yes, and in theory this does not “affect the situation of joint controllership and the responsibilities in place”. In practice, however, joint controllers, in their arrangement. may want to create specific procedures for using processors. Id. For example, they could agree that if one of the controllers wants a processor, it should consult the other. Id.
Arrangements between joint controllers are required, under Article 28 of the Regulation, in order to lay down “roles and responsibilities, in particular towards the data subjects” unless “ a law already determines these roles and responsibilities.” [xviii]When the law determines roles and responsibilities of joint controllers “only partially” then the arrangement “needs to fill any gaps that remain.” Guidelines at 28.
The allocation of responsibility must be “clear and transparent” (id.) and can take the form of a Memorandum of Understanding or a contract. A Service Level Agreement (SLA) “may be used in addition to the MoU as providing technical specifications. Furthermore, an SLA may be considered sufficient as an arrangement between joint controllers as long as this contains all of the elements in line with the Regulation.’ Id.
The EDPS clarifies that the arrangements should be discussed and agreed by all joint controllers and not “unilaterally adopted” by one of them. The arrangement should cover the relevant processes and have a clearly defined scope (differentiating the joint processing from other processes that the joint controllers may have in place), and should cover “the subject-matter, duration, nature and purpose of the processing”, as well as the categories of personal data and data subjects involved. Id.
In particular, because the “written arrangement is the legal instrument establishing the relationship between the different parties” (Guidelines at 28), it should cover: the respective responsibilities, roles and relationships, the respective duties of the joint controllers to provide privacy notices, responsibilities for information security (including data breach), a contact point, “cooperation … for the reply to data subjects requests and as regards the exercise of other rights of the data subjects”, cooperation for DPIAs, possible processors. Guidelines at 27/8.
Informing data subjects about the essence of the arrangement, as provided by Article 28(2) of the Regulation (“[T]he essence of the arrangement shall be made available to the data subject”.) Guidelines at 29. The EDPS reminds how data subjects must “be able to understand clearly the division of responsibilities and whom to address first.” Id. This information should be provided through the data protection notice, which can be separate for each of the controllers or could be a coordinated common one (in line with Articles 15(4) and 16(5)(a) of the Regulation, it is sufficient to inform data subjects through a data protection notice once). As an alternative, “[t]he arrangement may also assign the task of informing data subjects to one of the joint controllers.” Id.
What does a situation of joint controllership mean for the exercise of data subject rights?
Even if the data subjects must be informed of the arrangement, Article 28(3) of the Regulation provides that “irrespective of the terms of the arrangement (…), the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers” Guidelines at 30. This means that all the rights (such as the rights of access and rights to rectification, to erasure, to data portability and to object to the data processing) may not be limited because there are joint controllers. [xix] However, since “in practice it may be complex for both (or more) parties to grant a full exercise of the data subjects’ rights” (id) , cooperation between joint controllers to allow data subjects to exercise their rights is required. Id.[xx]
The EDPS highlights that “it is essential to make sure that a data subject may always contact each joint controller to request access, erasure or restriction” (id.) but a establishing a single contact point is recommended. Guidelines at 31.
What are the liabilities of the parties involved in a joint controllership? Article 65 of the Regulation provides for the right to compensation.[xxi]
For more information, Francesca Giannoni-Crystal.
[i] The EDPS is the independent supervisory authority competent for the processing of personal data by EU institutions and bodies (EUIs) and is competent for issuing guidelines on specific aspects related to the processing of personal data.
[ii] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, L295/39
[iii] The EDPS is the independent supervisory authority competent for the processing of personal data by EU institutions and bodies (EUIs) and is competent for issuing guidelines on specific aspects related to the processing of personal data.
[iv] Article 3(8) of the Regulation” where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law.
[v] The EDPS refers here to the Working party 29 WP29 Opinion 1/2010 on the concepts of “controller” and “processor” at 14.
[vi] The reference to the Treaties is Article 340 of the Treaty on the Functioning of the European Union (TFEU) which provides that “in accordance with general principles common to the laws of the Member States, the Union shall make good any damage caused by its institutions’
Pursuant to Article 268 TFEU, the Court of Justice of the European Union shall have jurisdiction in disputes relating to compensation for damages.
[vii] “Other body” mean ‘any other entity’, rather than Union body.
Article 3(12) of the Regulation “does not specifically list Directorates General as processors within the meaning of data protection law. It is thus clear, from a legal point of view and visa-vis the data subjects, that the EUI is responsible or liable as a processor for any noncompliance with the Regulation. … [I]n specific Institutions, certain EU Directorates General act as ‘support DGs’, often carrying out processing operations under strict instructions and on behalf of other DGs (who are the owners of the business process).” The EDPS recommends internal agreements with clear allocation of tasks and responsibilities between the different organisational entities involved in the processing. Guidelines at 15.
[viii] The EDPS promises further guidance on the “controller-processor contracts, including standard contractual clauses”. Id.
[ix] The EDPS specifies that
For example, when the processor is the only entity who may be able in practice to grant the exercise of data subjects’ rights, it is expected to provide the controller with all of the information in order for the controller to reply to the data subject. … We recommend that in the agreement in place between controllers and processors, the two parties agree on the modalities to be used in order to grant data subjects the full exercise of their rights, and that such modalities be reflected in the data protection notice to be provided to data subjects.
[x] The EDPS specifies that, based on Articles 29(3) and (4)
a processor carrying out specific processing operations under strict instructions given by the controller, would not be held liable for any infringement of the Regulation when strictly following the controller’s instructions. However, if the processor is found to have acted beyond the instructions and mandate given by the controller, it may be held liable for the infringement of the Regulation and/or damage or if it concerns a breach of the processor’s obligations. Guidelines at 20.
[xi] The EDPS reminds that in the WP29 in its Opinion 1/2010 specified that “Article 2.b of the Directive does not exclude the possibility that different actors are involved in different operations upon personal data”.
While EUIs are able to use outsourcing services when delivering the tasks assigned to them by law in the public interest, it would not be appropriate for a private party to exercise the kind of influence that would result in them being a joint controller. Guidelines at 22.
[xiii] Here the EDPS refers to the recent (29 July 2019) decision of the ECJ in which Fashion ID (an online clothing retailer, embedding on its website the ‘Like’ social plugin from the social network Facebook, was considered a joint-controller of the data together with Facebook Ireland). Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV:
it seems that Fashion ID can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46, jointly with Facebook Ireland, in respect of the operations involving the collection and disclosure by transmission of the personal data of visitors to its website. Para 84.
[xiv] Here the EDPS relies on two cases of the ECJ. Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388 and Case C-25/17 Jehovan todistajat.
[xv] For example, when two or more Directorates-General decided on the development of an IT application for the management of research projects, the two or more Directorates-General using the “same IT application for managing research projects can be internally considered as joint controllers” because the purpose and the application have been commonly decided (the IT developer is the processor). Guidelines at 24. As an example of two EUIs not being joint-controllers, the EDPS gives the following: when a EUIs use CCTV cameras for maintaining the premises’ security and an accident happens and a national law enforcement authorities is transferred the CCTV data; the two parties involved do not jointly determine the purpose and means for the processing. Hence, they are not joint controllers. Id.
[xvi] Article 28(1) of the Regulation provides that joint controllers
shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject (…), by means of an arrangement between them unless, and in so far as, the respective responsibilities of the joint controllers are determined by Union or Member State law to which the controllers are subject (…).
[xvii] Recital 50 of the Regulation “puts the ‘clear allocation of the responsibilities’ as a sine qua non condition for the protection of the rights and freedoms of data subjects.” Guidelines at 26.
[xviii] Where this is the case, there is no obligation to conclude an arrangement insofar as the respective responsibilities of the joint controllers are determined by Union or Member State law”. Id. The EDPS strongly recommends to go this route.
The EDPS strongly recommends to provide for a clear allocation of responsibilities in the relevant legislative acts, in order to ensure a clear distribution of tasks between joint controllers. Guidelines at 27.
Such cooperation obligations, for example, may provide for a set contact point to which data subjects could address their requests, such as a common email address. In practice, the modalities on the general responsibilities should be contained in the arrangement, while the details on the concrete instructions may be set out in the underlying documents. Guidelines at 30.
[xx] It is, in fact, very much likely that the set roles and responsibilities may not allow the joint controllers the same means of granting data subjects the exercise of their rights within the meaning of the Regulation (such as the right of access, erasure or restriction). In relation to this, if the roles and responsibilities are defined in the arrangement between joint controllers, this should also include cooperation obligations between them for dealing with such data subject requests. Id
[xxi] Article 65 of the Regulation states that any person who has suffered any specific material or non-material damage deriving from an infringement of the Regulation has the right to receive compensation from the EUI for the damage suffered (…) subject to the conditions provided for in the Treaties” Id. The Regulation does not specifically deal with non-compliance liability, unlike Articles 26 and 82 of the GDPR.