On the 7th of November 2019, the European Data Protection Supervisor (“EDPS”) issued guidelines (“Guidelines”) on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Regulation”) which lays down the data protection obligations for EU institutions and bodies (“EUIs”) when they process personal data and develop new policies.
The aim of the Guidelines is to provide more clarity for EUIs on how to comply with the Regulation by identifying their respective data protection roles and responsibilities.
- The Concept of Controller
In terms of article 3(8) of the Regulation, a “controller” is deemed to be “the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law”.
The EDPS amply clarifies that the term ‘determines’ in this context refers to the controller having factual influence over the processing operation by exercising its decision-making power. In order to evaluate ‘factual influence’ it is helpful to answer the questions ‘why is personal data processed’, ‘who initiated the data processing’ and ‘who benefits from the data processing’. The EUI can derive such factual control from an explicit legal competence such as a Union act which specifically designates a controller or from an implicit competence in which the role of controllership is derived from one party assigning another party to carry out data processing activities on its behalf. The essence of the controller’s influence relates to the de facto determination of the purpose and the means of the processing activity which denotes that the identification of the ‘why’ and ‘how’ of a processing activity is the conclusive test for an entity to assume the capacity of a controller.
The determination of the means only entails controllership if that party decides on the essential elements of the means such as the types of data that will be processed, the access to the data and the applicable retention periods. On the other hand, non-essential means relate to the more practical side of the processing activity such as the software or technical security measures to be used which may also be determined by the processor. However, the determination of the purpose of the processing activity is within the exclusive competence of the controller.
In terms of article 26(1) of the Regulation, the controller assumes responsibility for implementing appropriate technical and organisational safeguards to ensure compliant data processing. The controller is also responsible for data subjects being able to exercise their rights granted to them under article 17 to 24 of the Regulation. Moreover, the Regulation states in article 65 that EUIs must compensate data subjects for material and non-material damage as a result of an infringement of the Regulation “(…) subject to the conditions provided for in the Treaties”.
Crucially, the Guidelines set out a checklist whereby if the majority of the responses thereto are positive, then, it is likely that the EUI is deemed a controller for that specific set of processing operations within the meaning of the Regulation. The said EUI controller checklist sets out the following queries (to be answered as ‘yes’ or ‘no’):
- You have decided to process personal data or caused that another entity processes it.
- You decided what purpose or outcome the processing operation needs to have.
- You decided on the essential elements of the processing operation, i.e. what personal data should be collected, about which individuals, the data retention period, who has access to the data, recipients etc.
- The data subjects of your processing operations are your employees.
- You exercise professional judgement in the processing of the personal data.
- You have a direct relationship with the data subjects.
- You have autonomy and independence (within the tasks assigned to you as a public institution) as to how the personal data is processed.
- You have appointed a processor to carry out processing activities on your behalf, even if the entity chosen for that purpose implements specific technical and organisational means (non-essential elements).
2. The Concept of Processor
In terms of article 3(12) of the Regulation, a ‘processor’ is deemed to be “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Thus, a controller may delegate part or all of its processing activities to a (third party) processor. The processor thus serves in the interest of the controller in carrying out a certain set of instructions by the controller. However, one should note that a processor is not necessarily a ‘subordinate’ of the controller and may enjoy a considerable amount of autonomy in rendering its services. Nevertheless, a processor that goes beyond its mandate and makes decisions about the purpose and essential means of the processing activity would instead qualify as a controller (or joint controller).
The Regulation further stipulates under article 29 that the controller must assess whether the technical and organisational safeguards taken by the processor are sufficient. The controller must take into account and assess the processor’s technical expertise, reliability and its resources. The controller could make such an assessment by examining among other things the processor’s privacy policies, certifications, external audit reports and information security policies. The controller should ensure that the relationship with the processor is governed by a contract, legal act or binding arrangement.
It is of importance that the processor cannot assign its processing activities to a third party without the prior written authorization by the controller. In case of assignment, the same contractual obligations of the processor should be substantially passed on to the subcontractor.
With regards to the processor’s liability, a processor that strictly follows the instructions of the controller should not be deemed liable for an infringement of the Regulation. However, the processor may be held liable for damages when it has acted outside its mandate or breached one of its own obligations under the Regulation.
Similarly to the checklist for EUI controllers, the Guidelines set out a checklist to determine if the EUI is a processor. The following processor queries are set out under the Guidelines’ checklist:
- You follow instructions from another party with regard to the processing of personal data.
- You do not decide to collect personal data from individuals.
- You do not decide on the legal basis for the collection and use of that data.
- You do not decide the purpose or purposes for which the data will be used.
- You do not decide whether to disclose the data, or to whom.
- You do not decide the data retention period.
- You make certain decisions on how data is processed, but implement such decisions under a contract or another legal act or binding arrangement with the controller.
- You are not interested in the end result of the processing.
3. The Concept of Joint Controllership
Article 28(1) of the Regulation provides that “where two or more controllers or one or more controllers together with one or more controllers other than Union institutions and bodies jointly determine the purposes and means of processing, they shall be joint controllers. (…)”.
The Guidelines clarify that joint controllership should thus be understood as two or more parties commonly determining the purpose and essential means of the processing activities. It is possible that an EUI is deemed to be a joint controller together with a (private) entity subject to the General Data Protection Regulation (“GDPR”), however, the EDPS encourages EUIs making use of services provided by private companies to make sure that such private companies only act as processors for such processing operations. The EDPS lays out that it would not be appropriate for a private party to exercise the kind of influence that would result in them being deemed a joint controller together with a EUI.
The notion of joint determination should be understood as any situation where each controller has a chance/right to determine purposes and essential elements of the means of a processing operation. Both the purposes and the essential elements of the means of the processing operation need to be determined.
A ‘general’ level of complementarity and unity of purpose could already trigger a situation of joint controllership if the purposes and essential elements of the means of the processing operation are jointly determined.
However, the Guidelines recognize that in practical terms, it may sometimes be difficult to distinguish a situation of joint controllership from one in which two controllers act separately. Multiple controllers may interact in various processing operations without necessarily sharing all purposes and means per se. It should however be clear that if the parties involved do not jointly determine or converge on the same general objective (or purpose) or do not base their processing operations on jointly determined (essential elements of the) means, their relationship would be pointing to one of a ‘separate controllership’ situation, instead of joint controllership.
As opposed to ‘separate controllership’, joint controllership entails that there is a joint responsibility between the parties for the processing, but that does not necessarily mean an equal responsibility allocation. Joint controllers must enter into a specific arrangement which covers their respective roles, responsibilities and relationships in relation to the joint controllership, the essence of which (like under the GDPR) must also be made publicly available to the data subject.
Article written by Senior Associate Dr Terence Cassar and Legal Trainee Mr Philippe Martens.
Disclaimer: This article is not intended to impart legal advice
and readers are asked to seek verification of statements made before acting on
 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, L295/39.