Article written by Haim Ravia and Dotan Hammer
The European Data Protection Board (EDPB) has issued for public comments its draft guidance on the concepts of controller and processor in the GDPR. The guidance explores the notions of a controller, joint-controller, and processor, as functional concepts that aim to apportion responsibilities to the different types of actors under the GDPR.
According to the draft guidance, a controller is an entity that decides certain key elements of the processing: the why and how of the processing. An entity must decide both the purposes and the means to qualify as a controller. Key elements of the processing include determination of which data shall be processed, which data subjects to process data about, for how long data should be processed, and who shall have access to the data processed.
Joint controllership arises in the joint participation of two or more entities in the determination of the purposes and means of a processing operation. The joint participation must include the determination of purposes and means. A helpful test to identify joint-controllership is where the processing would not be possible without the participation of the parties (two or more). Joint controllers must determine and agree, preferably in writing, on their respective responsibilities for compliance with the obligations under the GDPR.
A processor, on the other hand, processes personal data on behalf of the controller and under the instructions of the controller, although those instructions may still leave a certain degree of discretion as to the most suitable technical and organizational means. A controller must only use processors that provide sufficient guarantees to comply with the GDPR. Also, any processing of personal data by a processor must be governed by a contract that details the elements that the GDPR requires.
The EDPB also issued for public comments its draft guidance on targeting social media users with specific messages to advance commercial, political, or other interests. According to the guidance, the data processing involved in the user targeting creates risks to the fundamental rights and freedoms of individuals, given the possible lack of transparency and user control. The draft guidelines aim to clarify the roles and responsibilities among the social media provider and the “advertiser”.
The draft guidelines provide various examples of scenarios where social media users are targeted. For most scenarios, the draft guidelines conclude that a join-controller relationship exists between the social media platform and the advertiser. The draft guidelines go on to analyze the possible legal basis for these targeting activities. The draft guidance focuses on the ‘legitimate interest’ basis and the ‘consent’ basis, taking a more critical approach to the suitability of the legitimate interest basis. It also highlighted the importance of transparency and data subject rights in social media targeting activities.
CLICK HERE to read the EDPB’s draft guidelines on the concepts of controller and processor in the GDPR.
CLICK HERE to read the EDPB’s draft guidelines on the targeting of social media users.
