It can be, and often is extremely difficult to determine who, in a given situation, is the processor and who is the (joint) controller, especially when converging decisions are involved. So, in this blog, we will take a closer look at both of these roles and explore recent insights and emerging ideas on the subject.
The role to which, under the General Data Protection Regulation, the key burden of responsibility is assigned, is that of the controller, defined by the GDPR as a natural or legal person, public authority, agency or other body which determines the purpose and means of the processing of personal data. Which, simply said, means that the controller is the party that decides why personal data are to be processed and how this processing is to be carried out. As a result, it is the controller who bears responsibility for the accurate and lawful processing of personal data.
The responsibility mentioned above may also be shared by joint controllers. The concept of shared responsibility for processing operations is nothing new, but with the introduction of the GDPR, new and specific rules have become attached to situations in which two or more parties jointly determine the purposes and means of processing (Article 26 of the GDPR). This is why, in its recent (proposed) guidelines, the European Data Protection Board (EDPB) discussed the concept in great detail, proposing the idea that joint responsibility can be the result of a common decision, but also of converging decisions by two or more parties, as suggested by three recent cases handled by the Court of Justice of the European Union (CJEU).
Decisions can be considered to be converging where they are mutually complementary and are necessary for the processing to take place in such a way as to have noticeable impact on the determination of purposes and means. One important question to be answered, in this context, is whether or not the processing would be possible without both parties’ participation in the sense that the processing by each party is inextricably linked . Whether or not, in other words, the processing activities performed by each of the two parties are inextricably linked. An example is presented by the case of Fashion ID, an online shop operating a website with an integrated Facebook plug-in. What this ‘Like’ button specifically did, was trigger transfers of personal data to Facebook, even if visitors to the site did not actually click the plug-in button. In this case, the CJEU ruled that Fashion ID and Facebook were to be considered joint controllers for the collection and transfer to Facebook of personal data, because Fashion ID, by including the button in its website, was exerting a decisive impact on the processing of personal data on behalf of Facebook while at the same time serving its own economic interests. For Fashion ID to be qualified as a controller, it was not necessary that it actually had access to the personal data.
It is important to keep in mind that the situation of joint responsibility for processing operations on the basis of converging decisions is decidedly different from situations which involve the role of a processor, the latter being the party processing personal data on behalf of the controller and not for its own purposes. A simple example would be a webshop (in this case the controller) enlisting the services of a provider for hosting of its website (where the hosting provider is the processor).
Article 28 of the GDPR states that the relation between controller and processor has to be governed by a contract or other form of legal act. In other words, a processor agreement needs to be in place, specifying, for instance, what the processor is and is not allowed to do with the personal data provided by the controller, for which purposes these data are being provided and which security measures are to be implemented for the protection of the data.
In October of 2020 the Dutch data protection authority, Autoriteit Persoonsgegevens, conducted an exploratory investigation of processor agreements commonly used in the private sector (commerce, health care, media, leisure and energy) in order to get a better idea of what exactly these agreements look like and what their content is. As it turned out, there are huge differences in the processor agreements being used in these various branches. This is in direct alignment with the EDPB (proposed) guidelines mentioned above, in which it is emphasised that, although the GDPR does mention clear requirements as to what needs to be included in a processor agreement, the overriding prerequisite is for the agreement to be specific and to cover real, existing issues in the context of practical circumstances. Which also means that processor agreements have to be periodically reviewed and amended where necessary.