Are you sure you are a data processor?
On 7 September 2020, the European Data Protection Board (EDPB), successor to the ‘article 29 working party’, released updated guidance on the concepts of ‘data controller’ and ‘data processor’ under European Privacy law (i.e. General Data Protection Regulation or GDPR). Whilst this has already been subject to internal EDPB review, the EDPB is accepting public feedback until 19 October 2020. The guidelines may be further updated in the light of feedback.
In line with recent European Court (CJEU) case-law, the guidelines make it clear that any entity which determines the means and purposes of data processing will be a data controller (or joint controller). This is the case even if:
- such party has no access to the data in question;
- another party is a data controller; and/or
- there is a contract describing a party as a ‘data processor‘.
However, the determination of ‘non-essential‘ means of implementation may be determined by a data processor without changing their status to co-controller.
In our experience, there are currently a significant number of companies operating as data processors who are, in substance, data controllers. In these circumstances, those companies need to be mindful that if they only comply with data processor obligations they will likely be in breach of their data controller obligations, exposing themselves to material future regulatory sanction.
Background – incentives to be a ‘data processor’
European data protection law before GDPR came into force in 2018 had the same definitions of ‘data controller’ and ‘data processor’ as the GDPR. However, unlike the GDPR, under the old law the bulk of the legal obligations were placed on the data controller. This meant that data processors could be reasonably relaxed about their compliance duties if they were a data processor and acted in accordance with their contractual obligations to the data processor. As a result many suppliers structured their services and contracts to ensure that they could be considered data processors rather than data controllers, and there were very few examples of arrangements being described or documented as joint controller arrangements.
When GDPR came into effect it increased both the scope and depth of obligations on data controllers, and made the consequences for breach more serious. In response, most organisations which had previously been data processors sought to roll their prior status forward – the incentives to not be a data controller remained, and indeed were stronger under GDPR than under the old law.
European Courts increasing looking beyond form to substance of relationship
However, even before GDPR was enacted, national regulators were looking beyond contractual form to assess the substance of activity as a basis for assessing data processor / data controller status. This approach was supported by the cases considered at the CJEU.
In recent cases, the CJEU underlined that this was the right approach and found parties who did not consider themselves as data controllers to, in fact, be data controllers or co-controllers. In the (memorably named) Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C‑210/16) EU:C:2018:388, 5 June 2018 case, the CJEU held that the administrator of a fan page on Facebook was joint data controller with Facebook and in the Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C-40/17) EU:C:2019:629 case that embedding Facebook ‘like’ buttons on a page was sufficient to make a party a joint data controller with Facebook.
In each case, the effect of the ruling was to allow the national regulator to hold the joint controller responsible for compliance with data protection obligations, thereby ensuring adequate protection for European data subjects’ rights. It is implicit in both judgments that joint data controller relationships will arise much more frequently than the controller-processor relationships often used by parties to describe their own relationships.
The GDPR definition
GDPR defines a data controller as:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”Article 4(7), GDPR
EDPB 2020 Guidelines
The EDPB 2020 guidelines start with a helpful executive summary:
Who is a data controller?
In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller.
A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.
A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.– EDPB Guidelines executive summary
What is joint controllership?
The qualification as joint controllers may arise where more than one actor is involved in the processing. The GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.– EDPB Guidelines executive summary
Who is a processor?
A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf.– EDPB Guidelines executive summary
The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.