EDPB releases statement of clarification on the concepts of controller and processor, as well as other key functional concepts in the GDPR.
The concepts of controller, joint controller and processor play such a key role in the application of the GDPR that it is imperative that these roles and their functions be clear. As a result, the EDPB has released a statement clarifying these concepts, and their roles. These concepts are all functional as they aim to assign appropriate responsibility to the designated parties.
Controllers and joint controllers decide certain key elements of the processing. but may not necessarily have access to the data itself.
A controller is an entity that decides certain key elements, like the purposes and means of the data processing, but does not necessarily even need to have access to the data. In cases where there is more than one actor involved in the processing, and necessary to the processing, the entities maybe considered joint controllers. The key to being considered joint controllers is that the actors are inseparable for the purposes of processing, and that this processing would be impossible without the involvement of both parties. One may determine the purposes, and the other, the means, of processing. While the concept of a controller is not limited to any type of entity, this is usually considered to be an organisation, rather an individual within the organisation, like an employee or CEO.
There may be situations where several entities are involved in the same processing, while they are not necessarily acting as joint controllers of this processing. If multiple actors are successively processing the same personal data in a chain of operations, the various actors are considered successive independent controllers as opposed to joint controllers. While the GDPR does not dictate the specific arrangement between joint controllers, the EDPB recommends having some form of binding document, whether it be a contract or other legal binding act under EU or Member State law to which the controllers are subject. Supervisory authorities are not bound by the terms of the arrangement and data subjects may exercise their rights in respect of and against each of the joint controllers.
We explore the concept of joint controllers in detail in our blog “Joint controllership: key considerations by the EDPB”.
A processor is an entity separate from the controller, who processes data on the controller’s behalf.
A processor may be a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller or joint controllers. The two qualifying conditions to be met as a processor, are being a separate entity to the controller, and processing personal data on the controller’s behalf. Employees and other persons that are
acting under the direct authority of the controller, such as temporarily employed staff, are not to be considered processors, because although they form part of the controller’s entity, and are therefore processing under its control and guidance, as opposed to on its behalf. Processing of personal data may involve multiple processors, as a processor is any separate entity acting on behalf of the controller, to process personal data.
A controller should consider whether the demonstrable guarantees offered by the processor are sufficient to meet GDPR requirements.
In order to meet the requirements of the GDPR, it is imperative that controllers use only processors providing sufficient guarantees to implement appropriate technical and organisational measures. It may be helpful to consider the processor’s technical expertise, reliability, resources, and adherence to code, in selecting a processor. The guarantees “provided” by the processor are actually those that the processor is able to demonstrate to the satisfaction of the controller, as those are the only ones that can effectively be taken into account by the controller when assessing compliance with its obligations. There should be a contract or other legal act in writing governing all processing to be undertaken by a processor. The GDPR outlines what key elements need to be included in the processing agreement.
A third party or recipient may handle the personal data, yet not fall under the categories of controller or processor.
The regulation also defines the concept of a third party or recipient. A third party is ”a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.” The term refers to an entity, which concerning the specific data transfer, does not fall under any of those categories.
A recipient is defined as “a natural or legal person, public authority, agency or another body,
to which the personal data are disclosed, whether a third party or not.” For example, when a controller sends personal data to another entity, either a processor or a third party, this entity is a recipient. It is necessary to note, however, that public authorities are however not considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law.
In this recent statement, the EDPB gives an in depth explanation of the definition of these concepts, their roles, responsibilities and functions. It includes several very specific examples, demonstrating these concepts and how they interact in practical situations.
