The European Data Protection Board (EDPB) has issued the final version of its guidelines on the concept of controllers and processors under the GDPR, following the draft it published for public comments in September 2020. The guidelines are intended to clarify the concepts of controllers, joint controllers, and processors, which play a crucial part in the application and implementation of the GDPR.
The guidelines mention several characteristics indicative of when an entity is considered a controller, such as when the entity benefits from the processing of the information (other than from the payment for a service it provides); when the processing relates to the relationship with the employees of the entity or its clients; or when the entity has the autonomy to dictate how the information will be processed. On the other hand, processors are characterized by a relationship in which they are subject to another entity’s processing instructions, the absence of further benefit, and the lack of an independent purpose in processing.
The guidelines also provided examples of common scenarios of data processing:
- A company providing electronic communications services such as an electronic mail service will normally be considered the controller in respect to the processing of personal data that is necessary for the operation of the service (unless the service’s sole purpose is to enable the transmission of email messages). However, the controller of any personal data contained inside the message will normally be the person who sent it, and not the service provider company.
- A cloud storage provider that offers standardized, non-customizable storage services, will usually be considered the controller of any personal data that its customer uploads to the service, provided that the cloud service provider does not process the data for its own purposes and stores it solely on behalf of the customer.
In addition, the guidelines explain the implications of an entity being a controller, processor, or joint controller. For example, a controller engaging in an agreement with a processor is required to enter into a data processing agreement under Article 28 of the GDPR. Entities who are joint controllers are required to enter into a joint controller agreement under Article 26 of the GDPR.
Click HERE to read the EDPB’s Guidelines on the Concepts of Controller and Processor in the GDPR.