EDPB releases statement

EDPB releases statement of clarification on the concepts of controller and processor

EDPB releases statement of clarification on the concepts of controller and processor, as well as other key functional concepts in the GDPR.

The concepts of controller, joint controller and processor play such a key role in the application of the GDPR that it is imperative that these roles and their functions be clear. As a result, the EDPB has released a statement clarifying these concepts, and their roles. These concepts are all functional as they aim to assign appropriate responsibility to the designated parties. 

Controllers and joint controllers decide certain key elements of the processing. but may not necessarily have access to the data itself.

A controller is an entity that decides certain key elements, like the purposes and means of the data processing, but does not necessarily even need to have access to the data. In cases where there is more than one actor involved in the processing, and necessary to the processing, the entities maybe considered joint controllers. The key to being considered joint controllers is that the actors are inseparable for the purposes of processing, and that this processing would be impossible without the involvement of both parties. One may determine the purposes, and the other, the means, of processing. While the concept of a controller is not limited to any type of entity, this is usually considered to be an organisation, rather an individual within the organisation, like an employee or CEO.

There may be situations where several entities are involved in the same processing, while they are not necessarily acting as joint controllers of this processing. If multiple actors are successively processing the same personal data in a chain of operations, the various actors are considered successive independent controllers as opposed to joint controllers. While the GDPR does not dictate the specific arrangement between joint controllers, the EDPB recommends having some form of binding document, whether it be a contract or other legal binding act under EU or Member State law to which the controllers are subject. Supervisory authorities are not bound by the terms of the arrangement and data subjects may exercise their rights in respect of and against each of the joint controllers.

We explore the concept of joint controllers in detail in our blog “Joint controllership: key considerations by the EDPB”.

A processor is an entity separate from the controller, who processes data on the controller’s behalf.

A processor may be a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller or joint controllers. The two qualifying conditions to be met as a processor, are being a separate entity to the controller, and processing personal data on the controller’s behalf. Employees and other persons that are

acting under the direct authority of the controller, such as temporarily employed staff, are not to be considered processors, because although they form part of the controller’s entity, and are therefore processing under its control and guidance, as opposed to on its behalf. Processing of personal data may involve multiple processors, as a processor is any separate entity acting on behalf of the controller, to process personal data. 

A controller should consider whether the demonstrable guarantees offered by the processor are sufficient to meet GDPR requirements.

In order to meet the requirements of the GDPR, it is imperative that controllers use only processors providing sufficient guarantees to implement appropriate technical and organisational measures. It may be helpful to consider the processor’s technical expertise, reliability, resources, and adherence to code, in selecting a processor. The guarantees “provided” by the processor are actually those that the processor is able to demonstrate to the satisfaction of the controller, as those are the only ones that can effectively be taken into account by the controller when assessing compliance with its obligations. There should be a contract or other legal act in writing governing all processing to be undertaken by a processor. The GDPR outlines what key elements need to be included in the processing agreement. 

A third party or recipient may handle the personal data, yet not fall under the categories of controller or processor.

The regulation also defines the concept of a third party or recipient. A third party is ”a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.” The term refers to an entity, which concerning the specific data transfer, does not fall under any of those categories. 

A recipient is defined as “a natural or legal person, public authority, agency or another body,

to which the personal data are disclosed, whether a third party or not.” For example, when a controller sends personal data to another entity, either a processor or a third party, this entity is a recipient. It is necessary to note, however, that public authorities are however not considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law.

In this recent statement, the EDPB gives an in depth explanation of the definition of these concepts, their roles, responsibilities and functions. It includes several very specific examples, demonstrating these concepts and how they interact in practical situations. 

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both adaptation consultancy services, including data protection impact assessments, CCPA compliance and Data Protection Officer outsourcing.

New national privacy bill

New national privacy bill proposed in Canada.

New national privacy bill proposed in Canada, is expected to significantly increase protections to Canadians’ personal information. 

Bill C-11, Canada’s newly proposed national privacy bill, which is also referred to as Digital Charter Implementation Act, 2020, will give Canadians more control and transparency when companies handle their personal information, and therefore expected to increasingly protect their personal information. This bill is said to reshape Canada’s privacy framework.  In the wake of the “Schrems II” judgment in the EU, and with the U.S. examining its own federal privacy legislation, international data flows have been challenged, inspiring the introduction of further legislation in that regard. 

This new bill was introduced by Minister of Information Science and Economic Development, Navdeep Bains, who brought up an important point on the need for interoperability with both EU and U.S. legislation.

The President of the Canadian Internet Registration Authority, Byron Holland, applauded the bill and said, “Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users.” Minister of Information Science and Economic Development, Navdeep Bains said, “As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. … For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement.” He also  brought up an important point on the need for interoperability with both EU and U.S. legislation, and adequacy to be achieved through  this legislation.

The new national privacy bill in Canada, if passed, could mean several significant changes, including the possibility for hefty fines, for companies found to be in violation. 

If the bill passes, there could be fines of up to five per cent of global revenue or $25 million CAD, whichever is higher, for companies found to be in violation. Bill C-11 also includes the Personal Information and Privacy Protection Tribunal Act as well as the Consumer Privacy Protection Act. This bill would also give the federal privacy commissioner the power to make orders, including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.

The Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information, withdrawal of consent and disposal of personal information.

This new Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information,and finally, withdrawal of consent and disposal of personal information. In this fact sheet, the in-depth clarifying questions surrounding DCIA 2020 are answered, including insight on how this new legislation may promote a strong Canadian digital environment, 

How do the key principles of DCIA 2020 compare to current GDPR regulation?

There has been much talk of the interoperability of DCIA and the GDPR, however it is interesting to note how they compare with regard to basic principles. The following table compares the two regulations based on the key principles of the Digital Charter Implementation Act.

Principles DCIA GDPR
Meaningful consent New rules on consent would ensure that individuals have sufficient information in plain-language allowing them to make meaningful decisions about the use of their personal information. According to the GDPR, a data subject’s consent must be freely given, specific, informed and unambiguous. The individual must indicate by a clear affirmative action, their agreement to the processing of their personal data.
Data mobility The proposed bill would allow people the right to direct the transfer of their personal information from one organization to another. For example, people would have a power to direct their bank to share their personal information with another financial institution. The right to data portability allows individuals to obtain, reuse, move, copy or transfer their personal data for their own purposes across different services without affecting its usability. This right, however, only applies to information an individual has provided to a controller.
Disposal of personal information and withdrawal of consent The new DCIA legislation would allow data subjects to request that organizations discard their personal information and, in most cases, allow them to withdraw consent for the use of their personal information. The GDPR gives people a specific right to withdraw their consent at any time. It must also be as easy to withdraw consent as it was to give it, meaning, the process of withdrawing consent should be an easily accessible one-step process.
Algorithmic transparency Businesses will need to be transparent about how they use automated decision-making systems like algorithms and artificial intelligence, to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how the automated decision making process of a system led to a  prediction, recommendation or decision and explain how the information was obtained. The GDPR grants the data subject the right not to be subject to a decision, which produces legal effects concerning him or her or similarly significantly affects him or her, based solely on automated processing, including profiling. In certain specific situations identified as legitimate exceptions according to Article 22 of the GDPR, this type of processing is valid, although additional measures are required “…the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision”.
De-identified information The legislation will clarify that personal information, with direct identifiers such as names removed, must be protected and that it can be used without an individual’s consent only under certain circumstances. Article 6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected, subject to certain conditions.

Do you require assistance with GDPR or CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

ICO fines Ticketmaster UK

ICO fines Ticketmaster UK Limited 1.39 million Euros, over chatbot cyber attack.

ICO fines Ticketmaster UK Limited 1.39 million Euros under the GDPR, for failing to prevent chatbot cyber attack.


The ICO has fined Ticketmaster UK in relation to a recent data breach which potentially affected over 9 million customers across the EU. This data breach was orchestrated via a chatbot which the company installed on its online payment page. The company’s failure to protect their customers’ information is a breach of the GDPR. 


In February 2018, several Monzo bank customers reported fraudulent transactions. In addition, the Commonwealth Bank of Australia, Barclaycard, MasterCard and American Express all made reports to the company suggesting fraud. Nine weeks after being alerted, Ticketmaster began monitoring network traffic via its online payment page. The breach began in February 2018, however the penalty which ensued relates to the breach over the period from May 25, 2018, upon the implementation of the new rules under the GDPR.  


This data breach potentially affected millions of customers as their payment information became compromised.


The data breach in question included names, payment card numbers, expiry dates and CVV numbers, potentially affecting 9.4 million of Ticketmaster’s customers across Europe with approximately 1.5 million in the UK. The investigations uncovered that, as a result of the breach, 60,000 payment cards from Barclays Bank customers were subjected to known fraud. An additional 6,000 cards were replaced by Monzo by the bank due to suspected fraudulent use.

The ICO found that there weren’t adequate security measures in place to protect customers’ data.


The ICO’s investigation revealed that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details. Deputy Commissioner, James Dipple-Johnstone said “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.” The ICO found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to avoid the risks, and to identify the source of suggested fraudulent activity in a timely manner. The ICO issued Ticketmaster UK Limited with a notice of intent to fine on 7 February 2020, and received written representations in response. 

The ICO fines Ticketmaster UK under the GDPR on behalf of all EU authorities, taking into account the impact of the COVID-19 pandemic.

 Since the breach happened before the UK left the EU, the ICO acted as the lead supervisory authority. The ICO completed the Article 60 GDPR process prior to the issuing of the penalty. This article provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The process included submitting a draft decision to the other supervisory authorities for their opinion and taking their views into consideration.When deciding on a fine, the ICO considered not only affordability, but the economic impact of COVID-19 among other factors.


The ICO statement is available in their website.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

First Code of Conduct

First Code of Conduct under the GDPR approved by the Spanish DPA.

The first Code of Conduct under the GDPR has been approved by the Spanish DPA.

The Spanish Agency for Data Protection (AEPD), in enforcing the General Data Protection Regulation and the Data Protection Law and guarantee of digital rights, has approved the first code of conduct based on the provisions of articles 40 and 41 of the GDPR and 38 of the DPA 2018. The Code of Conduct for Data Processing in Advertising Activity has been presented by the Association for the Self-regulation of Commercial Communication (Autocontrol), whose main purpose is the establishment of an out-of-court system to process claims about data protection and advertising, quickly, easily, effectively and free for consumers. 

This first code of conduct under the GDPR approved by the Spanish DPA, governs the processing of personal data for advertising purposes.

The GDPR establishes that the supervisory authorities will promote the development of codes of conduct aimed at contributing to the correct application of the regulation, taking into account the specific characteristics of the different sectors and the specific needs of micro, small and medium-sized enterprises .This code, presented by Autocontrol applies to data processing for advertising purposes carried out by its member entities. This includes sending commercial communications, promotions carried out in order to collect personal data to use for advertising purposes, use of cookies and equivalent technologies for the management of advertising spaces or conducting behavioral advertising, and also profiling for advertising purposes.

Autocontrol, the independent self-regulatory body of the advertising industry in Spain, established in 1995 as a non-profit association, is made up of advertisers, advertising agencies, the media and professional associations, with the objective to work towards responsible advertising. The code recently presented by this organisation will apply to member entities established in Spanish territory or to data processing activities that affect data subjects residing in Spain, as long as the data processing is related to the offer of goods and services in Spain or to the monitoring of their behaviour in Spain. 

The code outlines information to be communicated to data subjects when their personal data is collected.

According to this code, the data subject may exercise the right of access, right to rectification, right to erasure, right to object, right to restriction of processing and, where appropriate, the right to data portability regarding the treatment of the data. The data controller must inform the data subject of the processing of their personal data, providing specific information, outlined in articles 13 and 14 of the GDPR, depending on whether they obtained the data from the concerned party or from a different source. In addition, data controllers must inform the concerned parties about their right to object to the use of their personal data for direct marketing purposes, at the time the data is collected. The use of cookies or similar tools by the data controllers will be subject to the provisions of the Information Society Services Law, which is the national law implementing the ePrivacy Directive, or regulations that replace it. 

According to the code, there will be an Advertising Jury which will act on behalf of the Spanish DPA in matters concerning advertising and marketing. 

Autocontrol has also implemented an extrajudicial resolution system to resolve disputes that arise between its data controllers and their data subjects, due to data processing carried out in advertising. With respect to the functions and powers of the Spanish DPA as supervisory authority, the Advertising Jury will act as a supervisory body of this Code. When the Advertising Jury, in resolving a claim, declares a breach of the code, it will rule on the sanctions that, where appropriate, should be imposed in accordance with the provisions of the regulations.

Annually, the Secretariat of the Advertising Jury will prepare a statistical report for each member entity with the relevant data regarding the respective entity’s activity, including both data related to mediations and the decisions of the Advertising Jury. The Secretariat of the Advertising Jury will also prepare an annual collective statistical report to be presented to the Spanish DPA.

Autocontrol has this Code of Conduct in the section for codes of conduct of its website where it can be downloaded free of charge by any user.

Do you process data for advertising and marketing purposes? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling personal data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services and also compliance with the Spanish data protection national law including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.