The European Data Protection Board has issued some long-awaited guidance to provide some much-needed clarification on the roles of controller and processor and joint controller.  Although these concepts pre-date the GDPR, its introduction seems to have muddied the waters with traditional views shifting on the roles of parties when determining who is a controller or processor.

This shift in view has resulted in many protracted negotiations between organisations on their respective data protection obligations so this draft guidance should (hopefully) be welcomed by privacy practitioners.

The draft guidance published on 7 September 2020 is not short, 48-pages to be precise.  However, it sets out detailed analysis on how to determine in respect of a particular data processing activity who is a controller, processor, and third party.  It also provides further clarification on joint controllership.

The draft guidance also includes numerous examples to provide organisations with a clearer steer to help them accurately assess their data processing status. Although sadly for those people thinking this guidance might spell the end of these protracted negotiations, there will always be room for debate.

Some key takeaways include:

  • Joint controllership does not equate to joint liability. Each entity is responsible and liable for its own part of the process.
  • Organisations receiving aggregated reports (e.g. in a market research context) may be a controller even if they cannot access the raw data.  This view is on the basis that the organisation commissioning the report is the entity that ultimately decides the processing should take place, and its purpose.
  • Organisations carrying out marketing research are more likely to be considered a processor where the client has provided instructions/guidance on the parameters of the market research.  This interpretation should be read in line with the ICO guidance which typically positions market research organisations as joint controllers.
  • One or more parties can still be joint controllers in respect of a particular data processing activity despite their different interests in the respective purpose (e.g.  a health care provider and a university science department working together on a research project).
  • Art 28 data processing agreements should not simply restate the provisions of Art 28 of GDPR but provide details on how the processor will meet those obligations. For example, the processing agreement should set out the security measures the processor will take to meet its Art 32 obligation and how assistance can be provided to help controllers comply with their own obligations under the GDPR.  DPAs should also be clear that the right to audit a processor extends to sub-processors.  We suspect this additional clarity on how to draft Art 28 agreements is unlikely to be welcomed by certain providers (including cloud storage providers) who find the provisions problematic enough and deliberately take advantage of the some of the vagueness in the drafting. It will also not bring joy to the ears of those who like to keep data processing agreements short and sweet.
  • Joint controller arrangements need to spell out each party’s obligations with respect to the joint processing activities.  When determining allocation of responsibility, joint controllers should consider (without limitation): a) implementation of general data protection principles; b) legal basis of the processing;  c) security measures; d) notification of a personal data breach to the supervisory authority and to the data subject; e) carrying out Data Protection Impact Assessments; f) use of processors; e) transfers of data to third countries; and g) organisation of contact with data subjects and supervisory authorities.
  • Joint controller arrangements should be set out in a binding contract and the provisions of the arrangement made clear to data subjects.
  • Joint controller arrangements also need to ensure that their allocation of responsibility does not impose an excessive burden on the data subject,  e.g. requiring a data subject to reach out to a controller outside of its jurisdiction when the other controller is within its jurisdiction. 
  • The existence of an arrangement (in writing or otherwise) between joint controllers does not prevent data subjects/supervisory authorities from enforcing their rights against a particular controller. 

Unfortunately, while this guidance is helpful, establishing status and responsibilities as a controller, processor, or joint controller remains complex and short and simple data processing agreements are a thing of the past – at least in the eyes of the regulators!

The guidance is still in draft, so any interested parties can contribute to the public consultation – it’s open until 19 October 2020.