Regulatory

Blog

Regulatory

Contributors

Aki Corsoni-Husain
Aki Corsoni-Husain
  • Aki Corsoni-Husain

  • Partner
  • Cyprus
George Apostolou
George Apostolou
  • George Apostolou

  • Partner
  • Cyprus
Chiara Deceglie
Chiara Deceglie
  • Chiara Deceglie

  • Partner
  • Luxembourg
Massimiliano della Zonca
Massimiliano della Zonca
  • Massimiliano della Zonca

  • Senior Associate
  • Luxembourg
Philip Graham
Philip Graham
  • Philip Graham

  • Partner
  • British Virgin Islands
Ayana Hull
Ayana Hull
  • Ayana Hull

  • Counsel
  • British Virgin Islands
Katerina Katsiami
Katerina Katsiami
  • Katerina Katsiami

  • Associate
  • Cyprus
Andrew Knight
Andrew Knight
  • Andrew Knight

  • Partner
  • Luxembourg
Joshua Mangeot
Joshua Mangeot
  • Joshua Mangeot

  • Counsel
  • British Virgin Islands
Mirza Manraj
Mirza Manraj
  • Mirza Manraj

  • Counsel
  • Hong Kong
Elina Mantrali
Mirza Manraj
  • Elina Mantrali

  • Associate
  • Cyprus
Vanessa Molloy
Vanessa Molloy
  • Vanessa Molloy

  • Partner
  • Luxembourg
Andrea Moundi Savvides
Andrea Moundi Savvides
  • Andrea Moundi Savvides

  • Consultant
  • Cyprus
Matt Taber
Matt Taber
  • Matt Taber

  • Partner
  • Cayman Islands
Carolynn Vivian
Carolynn Vivian
  • Carolynn Vivian

  • Group General Counsel
  • Cayman Islands

European Data Protection Board adopts guidelines on concepts of controller and processor under the GDPR

On 7 July 2021, the European Commission adopted version 2.0 of Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines were previously released for consultation in September 2020.

Although guidance on the role of controllers and processors has previously been issued prior to the introduction of the GDPR by the Article 29 Working Party in its Opinion 1/2010 (WP29 Opinion), these new Guidelines provide further clarity on scenarios faced daily by undertakings and more clearly align with considerations arising under the GDPR. As the Guidelines acknowledge, since the entry into force of the GDPR, many questions have been raised regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles - in particular as to the substance and implications of the concept of joint controllership (Article 26 of GDPR) and to the specific obligations for processors (Article 28 of GDPR). Recognising these issues, the EDPB has issued the Guidelines with a view to giving more developed and specific guidance in order to ensure a consistent and harmonised approach throughout the EU and the EEA.

Importantly, the Guidelines now replace the WP29 Opinion. 

The Guidelines are separated largely into two parts:

  1. Part I of the Guidelines discusses the definitions of the different concepts of controller, joint controllers, processor and third party/recipient.
  2. Part II provides further guidance on the consequences attached in each case to the different roles of controller, joint controller and processor.

The distinction between controller and processor is an important one under GDPR, since the two roles trigger different requirements in each case under GDPR and furthermore may impact what a party is permitted to do with a particular data set. Furthermore, they directly affect the substance of contractual documentation that will need to be entered into between parties sharing data, depending on the capacity of the sender and recipient in each case (eg processor agreements, Standard Contractual Clauses). Categorising appropriately will also typically influence the way in which data subjects may exercise their data subject rights.

The Guidelines can be found here.