European Data Protection Board adopts guidelines on concepts of controller and processor under the GDPR
On 7 July 2021, the European Commission adopted version 2.0 of Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines were previously released for consultation in September 2020.
Although guidance on the role of controllers and processors has previously been issued prior to the introduction of the GDPR by the Article 29 Working Party in its Opinion 1/2010 (WP29 Opinion), these new Guidelines provide further clarity on scenarios faced daily by undertakings and more clearly align with considerations arising under the GDPR. As the Guidelines acknowledge, since the entry into force of the GDPR, many questions have been raised regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles - in particular as to the substance and implications of the concept of joint controllership (Article 26 of GDPR) and to the specific obligations for processors (Article 28 of GDPR). Recognising these issues, the EDPB has issued the Guidelines with a view to giving more developed and specific guidance in order to ensure a consistent and harmonised approach throughout the EU and the EEA.
Importantly, the Guidelines now replace the WP29 Opinion.
The Guidelines are separated largely into two parts:
- Part I of the Guidelines discusses the definitions of the different concepts of controller, joint controllers, processor and third party/recipient.
- Part II provides further guidance on the consequences attached in each case to the different roles of controller, joint controller and processor.
The distinction between controller and processor is an important one under GDPR, since the two roles trigger different requirements in each case under GDPR and furthermore may impact what a party is permitted to do with a particular data set. Furthermore, they directly affect the substance of contractual documentation that will need to be entered into between parties sharing data, depending on the capacity of the sender and recipient in each case (eg processor agreements, Standard Contractual Clauses). Categorising appropriately will also typically influence the way in which data subjects may exercise their data subject rights.
The Guidelines can be found here.