EDPB releases statement

EDPB releases statement of clarification on the concepts of controller and processor

EDPB releases statement of clarification on the concepts of controller and processor, as well as other key functional concepts in the GDPR.

The concepts of controller, joint controller and processor play such a key role in the application of the GDPR that it is imperative that these roles and their functions be clear. As a result, the EDPB has released a statement clarifying these concepts, and their roles. These concepts are all functional as they aim to assign appropriate responsibility to the designated parties. 

Controllers and joint controllers decide certain key elements of the processing. but may not necessarily have access to the data itself.

A controller is an entity that decides certain key elements, like the purposes and means of the data processing, but does not necessarily even need to have access to the data. In cases where there is more than one actor involved in the processing, and necessary to the processing, the entities maybe considered joint controllers. The key to being considered joint controllers is that the actors are inseparable for the purposes of processing, and that this processing would be impossible without the involvement of both parties. One may determine the purposes, and the other, the means, of processing. While the concept of a controller is not limited to any type of entity, this is usually considered to be an organisation, rather an individual within the organisation, like an employee or CEO.

There may be situations where several entities are involved in the same processing, while they are not necessarily acting as joint controllers of this processing. If multiple actors are successively processing the same personal data in a chain of operations, the various actors are considered successive independent controllers as opposed to joint controllers. While the GDPR does not dictate the specific arrangement between joint controllers, the EDPB recommends having some form of binding document, whether it be a contract or other legal binding act under EU or Member State law to which the controllers are subject. Supervisory authorities are not bound by the terms of the arrangement and data subjects may exercise their rights in respect of and against each of the joint controllers.

We explore the concept of joint controllers in detail in our blog “Joint controllership: key considerations by the EDPB”.

A processor is an entity separate from the controller, who processes data on the controller’s behalf.

A processor may be a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller or joint controllers. The two qualifying conditions to be met as a processor, are being a separate entity to the controller, and processing personal data on the controller’s behalf. Employees and other persons that are

acting under the direct authority of the controller, such as temporarily employed staff, are not to be considered processors, because although they form part of the controller’s entity, and are therefore processing under its control and guidance, as opposed to on its behalf. Processing of personal data may involve multiple processors, as a processor is any separate entity acting on behalf of the controller, to process personal data. 

A controller should consider whether the demonstrable guarantees offered by the processor are sufficient to meet GDPR requirements.

In order to meet the requirements of the GDPR, it is imperative that controllers use only processors providing sufficient guarantees to implement appropriate technical and organisational measures. It may be helpful to consider the processor’s technical expertise, reliability, resources, and adherence to code, in selecting a processor. The guarantees “provided” by the processor are actually those that the processor is able to demonstrate to the satisfaction of the controller, as those are the only ones that can effectively be taken into account by the controller when assessing compliance with its obligations. There should be a contract or other legal act in writing governing all processing to be undertaken by a processor. The GDPR outlines what key elements need to be included in the processing agreement. 

A third party or recipient may handle the personal data, yet not fall under the categories of controller or processor.

The regulation also defines the concept of a third party or recipient. A third party is ”a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.” The term refers to an entity, which concerning the specific data transfer, does not fall under any of those categories. 

A recipient is defined as “a natural or legal person, public authority, agency or another body,

to which the personal data are disclosed, whether a third party or not.” For example, when a controller sends personal data to another entity, either a processor or a third party, this entity is a recipient. It is necessary to note, however, that public authorities are however not considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law.

In this recent statement, the EDPB gives an in depth explanation of the definition of these concepts, their roles, responsibilities and functions. It includes several very specific examples, demonstrating these concepts and how they interact in practical situations. 

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both adaptation consultancy services, including data protection impact assessments, CCPA compliance and Data Protection Officer outsourcing.

ICO fines Ticketmaster UK

ICO fines Ticketmaster UK Limited 1.39 million Euros, over chatbot cyber attack.

ICO fines Ticketmaster UK Limited 1.39 million Euros under the GDPR, for failing to prevent chatbot cyber attack.


The ICO has fined Ticketmaster UK in relation to a recent data breach which potentially affected over 9 million customers across the EU. This data breach was orchestrated via a chatbot which the company installed on its online payment page. The company’s failure to protect their customers’ information is a breach of the GDPR. 


In February 2018, several Monzo bank customers reported fraudulent transactions. In addition, the Commonwealth Bank of Australia, Barclaycard, MasterCard and American Express all made reports to the company suggesting fraud. Nine weeks after being alerted, Ticketmaster began monitoring network traffic via its online payment page. The breach began in February 2018, however the penalty which ensued relates to the breach over the period from May 25, 2018, upon the implementation of the new rules under the GDPR.  


This data breach potentially affected millions of customers as their payment information became compromised.


The data breach in question included names, payment card numbers, expiry dates and CVV numbers, potentially affecting 9.4 million of Ticketmaster’s customers across Europe with approximately 1.5 million in the UK. The investigations uncovered that, as a result of the breach, 60,000 payment cards from Barclays Bank customers were subjected to known fraud. An additional 6,000 cards were replaced by Monzo by the bank due to suspected fraudulent use.

The ICO found that there weren’t adequate security measures in place to protect customers’ data.


The ICO’s investigation revealed that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details. Deputy Commissioner, James Dipple-Johnstone said “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.” The ICO found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to avoid the risks, and to identify the source of suggested fraudulent activity in a timely manner. The ICO issued Ticketmaster UK Limited with a notice of intent to fine on 7 February 2020, and received written representations in response. 

The ICO fines Ticketmaster UK under the GDPR on behalf of all EU authorities, taking into account the impact of the COVID-19 pandemic.

 Since the breach happened before the UK left the EU, the ICO acted as the lead supervisory authority. The ICO completed the Article 60 GDPR process prior to the issuing of the penalty. This article provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The process included submitting a draft decision to the other supervisory authorities for their opinion and taking their views into consideration.When deciding on a fine, the ICO considered not only affordability, but the economic impact of COVID-19 among other factors.


The ICO statement is available in their website.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

First Code of Conduct

First Code of Conduct under the GDPR approved by the Spanish DPA.

The first Code of Conduct under the GDPR has been approved by the Spanish DPA.

The Spanish Agency for Data Protection (AEPD), in enforcing the General Data Protection Regulation and the Data Protection Law and guarantee of digital rights, has approved the first code of conduct based on the provisions of articles 40 and 41 of the GDPR and 38 of the DPA 2018. The Code of Conduct for Data Processing in Advertising Activity has been presented by the Association for the Self-regulation of Commercial Communication (Autocontrol), whose main purpose is the establishment of an out-of-court system to process claims about data protection and advertising, quickly, easily, effectively and free for consumers. 

This first code of conduct under the GDPR approved by the Spanish DPA, governs the processing of personal data for advertising purposes.

The GDPR establishes that the supervisory authorities will promote the development of codes of conduct aimed at contributing to the correct application of the regulation, taking into account the specific characteristics of the different sectors and the specific needs of micro, small and medium-sized enterprises .This code, presented by Autocontrol applies to data processing for advertising purposes carried out by its member entities. This includes sending commercial communications, promotions carried out in order to collect personal data to use for advertising purposes, use of cookies and equivalent technologies for the management of advertising spaces or conducting behavioral advertising, and also profiling for advertising purposes.

Autocontrol, the independent self-regulatory body of the advertising industry in Spain, established in 1995 as a non-profit association, is made up of advertisers, advertising agencies, the media and professional associations, with the objective to work towards responsible advertising. The code recently presented by this organisation will apply to member entities established in Spanish territory or to data processing activities that affect data subjects residing in Spain, as long as the data processing is related to the offer of goods and services in Spain or to the monitoring of their behaviour in Spain. 

The code outlines information to be communicated to data subjects when their personal data is collected.

According to this code, the data subject may exercise the right of access, right to rectification, right to erasure, right to object, right to restriction of processing and, where appropriate, the right to data portability regarding the treatment of the data. The data controller must inform the data subject of the processing of their personal data, providing specific information, outlined in articles 13 and 14 of the GDPR, depending on whether they obtained the data from the concerned party or from a different source. In addition, data controllers must inform the concerned parties about their right to object to the use of their personal data for direct marketing purposes, at the time the data is collected. The use of cookies or similar tools by the data controllers will be subject to the provisions of the Information Society Services Law, which is the national law implementing the ePrivacy Directive, or regulations that replace it. 

According to the code, there will be an Advertising Jury which will act on behalf of the Spanish DPA in matters concerning advertising and marketing. 

Autocontrol has also implemented an extrajudicial resolution system to resolve disputes that arise between its data controllers and their data subjects, due to data processing carried out in advertising. With respect to the functions and powers of the Spanish DPA as supervisory authority, the Advertising Jury will act as a supervisory body of this Code. When the Advertising Jury, in resolving a claim, declares a breach of the code, it will rule on the sanctions that, where appropriate, should be imposed in accordance with the provisions of the regulations.

Annually, the Secretariat of the Advertising Jury will prepare a statistical report for each member entity with the relevant data regarding the respective entity’s activity, including both data related to mediations and the decisions of the Advertising Jury. The Secretariat of the Advertising Jury will also prepare an annual collective statistical report to be presented to the Spanish DPA.

Autocontrol has this Code of Conduct in the section for codes of conduct of its website where it can be downloaded free of charge by any user.

Do you process data for advertising and marketing purposes? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling personal data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services and also compliance with the Spanish data protection national law including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.


A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.


The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.


The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.


The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.


Through the data broking investigation, the ICO uncovered several data protection failures at each company. 


Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 


These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 


While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.


All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 


While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.


Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.


The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.