The EDPB provides key considerations to clarify the concepts of processor, controller and joint controller in their Guidelines 07/2020.
The European Data Protection Board (EDPB) published their Guidelines 07/2020 on the concepts of controller and processor in the GDPR on 7th September, which aim to offer a precise meaning of these concepts and a criteria for their correct interpretation that is consistent throughout the European Economic Area.
Since the CJEU considered, in its Judgment in Fashion ID, C-40/17, the fashion retailer Fashion ID to be a controller jointly with Facebook by embedding the ‘Like’ button in its website, the concept of joint controllership seems to have a broader meaning, as it may apply now to some data processing that were deemed otherwise in the past.
In our blog today we go through the main insights provided by the EDPB with regard to the concept of joint controller.
The concept of joint controller in the GDPR
Pursuant to the Article 26 of the GDPR, the qualification as joint controller may arise where two or more controllers jointly determine the purposes and means of processing. The GDPR also states that the actors involved shall determine their respective responsibilities for compliance by means of an arrangement between them, whose essence shall be made available to the data subjects. However, the GDPR does not contain further provisions that specify the details around this type of processing, such as the definition of ‘jointly’ or the legal form of the arrangement.
The EDPB explains that joint participation can take the form of a common decision taken by the two or more actors involved in the processing or result from converging decisions by them. Thus in practice, joint participation can take several different forms and it does not require the same degree of involvement or equal responsibility by the controllers in each case.
- Joint participation through common decision. It means deciding together and involves a common intention.
- Joint participation through converging decisions. This one results from the case law of the CJEU on the concept of joint controllers. According to the GDPR, the requirements the decisions should meet to be considered as converging on purposes and means are the following:
- They complement each other.
- They are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing.
As a result, the question that should be contemplated to identify converging decisions would be along the lines of “Would the processing be possible without both parties’ participation in the sense that the processing by each party is inseparable?”.
The EDPB also highlights that the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership.
Jointly determined purpose(s)
The EDPB considers that there are two scenarios under which the purpose pursued by two or more controllers may be deemed as jointly determined:
- The entities involved in the same processing operation process such data for jointly defined purposes.
- The entities involved pursue purposes which are closely linked or complementary. Such may be the case, for example, when there is a mutual benefit arising from the same processing operation, provided that each of the entities involved participates in the determination of the purposes and means of the relevant processing operation.
Jointly determined means
Joint controllership requires that two or more entities have exerted influence over the means of the processing. However, this does not mean that each entity involved needs in all cases to determine all of the means. There might be different circumstances which would qualify as joint controllership where the rest of requirements are met, even where the determination of the means is not equally shared between the parties, for example:
- Different joint controllers define the means of the processing to a different extent, depending on who is effectively in a position to do so.
- One of the entities involved provides the means of the processing and makes it available for personal data processing activities by other entities. The entity who decides to make use of those means so that personal data can be processed for a particular purpose also participates in the determination of the means of the processing. For example, the choice made by an entity to use for its own purposes a tool or other system developed by another entity, allowing the processing of personal data, will likely amount to a joint decision on the means of that processing by those entities.
Limits of joint controllership
The fact that several actors are involved in the same processing does not mean that they are necessarily acting as joint controllers of such processing. Not all kind of partnerships, cooperation or collaboration imply qualification of joint controllers as such qualification requires a case-by-case analysis of each processing at stake and the precise role of each entity with respect to each processing. The EDPB provides a non-exhaustive list of examples of situations where there is no joint controllership:
- Preceding or subsequent operations: while two actors may be deemed joint controllers with regard to a specific data processing where the purpose and means of its operations are jointly determined, this does not affect the purposes and means of operations that precede or are subsequent in the chain of processing. In that case, the entity that decides alone should be considered as the sole controller of said preceding or subsequent operation.
- Own purpose: the situation of joint controllers acting on the basis of converging decisions should be distinguished from the case of a processor, since the latter, while participating in the performance of a processing, does not process the data for its own purposes but carries out the processing on behalf of the controller.
- Commercial benefit: the mere existence of a mutual benefit arising from a processing activity does not give rise to joint controllership. For example, if one of the entities involved is merely being paid for services rendered, it is acting as a processor rather than as a joint controller.
For instance, the use of a common data processing system or infrastructure will not in all cases lead to qualify the parties involved as joint controllers, in particular where the processing they carry out is separable and could be performed by one party without intervention from the other or where the provider is a processor in the absence of any purpose of its own. Another example would be the transmission of employee data to tax authorities.
Joint controller arrangement
Joint controllers should put in place a joint controller arrangement where they determine and agree on, in a transparent manner, their respective responsibilities for compliance with the GDPR. The following list of non-exhaustive tasks should be specified by means of said arrangement:
- Response to data subjects requests exercised pursuant to the rights granted by the GDPR.
- Transparency duties to provide the data subjects with the relevant information referred in Articles 13 and 14 GDPR.
- Implementation of general data protection principles.
- Legal basis of the processing.
- Security measures.
- Notification of a personal data breach to the supervisory authority and to the data subject.
- Data Protection Impact Assessments.
- The use of a processor.
- Transfers of data to third countries.
- Organisation of contact with data subjects and supervisory authorities.
The EDPB recommends documenting the relevant factors and the internal analysis carried out in order to allocate the different obligations. This analysis is part of the documentation under the accountability principle.
When it comes to the form of the arrangement, even if there is no legal requirement in the GDPR for a contract or other legal act, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.
The EDPB welcomes comments to the Guidelines until 19th October.