This year in July, the European Data Protection Board issued guidelines to clarify the concept of data controller and processor, therefore creating a unified view for those applying the GDPR. Preparation of the document was timely, as it is key to understand who can qualify as a (joint) data controller and is responsible for the adequacy of controlling. The document is primarily intended to assist data controllers, data processors and joint controllers in defining their tasks and responsibilities related to data controlling.
The guidelines help to determine the status of the data controller and data processor based on the questions, practical experience and court decisions that have arisen since the application of GDPR. The following is a brief overview of issues to be considered upon determining the correct data controlling position.
- For whose benefit is the data controlling carried out?
The distinction may been defined mainly by deciding whose interest or benefit is the data controlling. The data controller is the person who profits from the activity (this does not include the consideration for the services of the data processor), and the data processor is the person who executes the instructions of the data controller. The data processor has no purpose for the process, it only performs as a “contractor”, but the concept and rules are provided by the data controller.
- Who decides on data controlling issues?
There is a difference in which party holds the steering wheel. The main issues are determined by the data controller. Of course, the parties can agree that the data processor decides on certain technical matters in its own competence. The outcome, however, is always the responsibility of the controller.
- To whom can personal data be linked?
The data controller is in connection with the people whose data is controlled. Data subjects can be employees, business partners, members of the organization, etc. The data processor is present as a separate entity, and the processed personal data is not linked to it.
- Who is the „principal”?
Perhaps the most obvious is to determine which party is the principal and who performs the assignment. If a company entrusts an external business or person to complete certain personal data affected tasks (e.g. server operation, website development, payroll software development, etc.), then it will be considered as the data controller, while the data processor will be the one who performs some services.
- Does it make its own decisions about the purpose and means of data controlling?
The guidelines also detail the highly questionable joint controller position, which raises perhaps the most issues in practice. We were pleased to see that our legal position communicated in recent years – especially about temporary work agencies – is also reflected in the guidelines. The document states that in case of joint controllership, it is not necessary for the parties to define all the purposes and means together; complementary or successive data controlling decisions in the process gives rise to obligations under Article 26 of the GDPR. It was also confirmed that joint controllers have the right to divide tasks and regulate liability issues in their internal relations. With a well-written joint data controller agreement, the parties can stipulate in advance the rights and obligations arising from their data controlling. As a result, they can avoid liability for improper data controlling by the other party, as generally stated by the rules and may be decided by the data protection authority.
The parties must regulate their relationship in writing. The guidelines themselves draw attention to that obligation. It also points out that, in addition to the mandatory elements of the contract under the GDPR, the parties can lay down specific provisions on technical and organizational matters in their agreement.
The guidelines, in their entirety, are available at the link below: